New findings have highlighted a significant security risk in the DOS-to-NT path conversion process in Windows, which can be exploited to gain rootkit-like capabilities without administrative privileges. Presented by SafeBreach’s Or Yair at the Black Hat Asia conference, this vulnerability arises when DOS paths are converted to NT paths, a process during which Windows removes trailing dots and spaces. This seemingly benign action can be weaponized to enable a range of malicious activities, allowing threat actors to hide files, manipulate process displays, and even make malicious files appear as legitimate Microsoft verified executables.
The vulnerabilities associated with these conversion flaws have broader implications, including hiding processes, affecting file prefetch analysis in Windows, and disabling tools like Process Explorer through DoS attacks. Moreover, attackers can leverage these paths to hide malicious content in archives, effectively bypassing conventional security measures and remaining undetected. This enables a wide array of malicious actions to be conducted silently, making it particularly dangerous for systems that rely solely on user-space APIs for security checks.
In addition to the discovery of these rootkit-like capabilities, researchers have identified four specific security vulnerabilities linked to the conversion process. These include an elevation of privilege (EoP) deletion vulnerability, an EoP write vulnerability that allows unauthorized file modifications via volume shadow copies, a remote code execution (RCE) vulnerability through crafted archives, and a denial of service (DoS) vulnerability affecting Process Explorer. While Microsoft has addressed three of these issues, one remains to be fixed in future releases, highlighting ongoing security risks.
