Windows File Pseudonyms

ShmooCon VI - 2010

Presented by: Roger G. Johnston
Date: Friday February 05, 2010
Time: 17:30 - 18:00
Location: Back Room
Track: One Track Mind

<p>In Windows systems, path and filename normalization routines have some interesting quirks. One file can be referred to with many different filepaths; some are well known, and some are not. The lesser known ways to refer to files are not often considered when designing security mechanisms. By referring to files in these strange ways one can, in many circumstances, cause unexpected behaviour in systems which do not account for alternate prefixes, aliases and mangled versions of filenames. In this presentation, I will show some of these quirks with a live demonstration on real products and how techniques based on these quirks can be used to bypass filters and access control mechanisms, evade IDS detection, alter the way that files are handled and processed, and make brute force attacks to enumerate files easier.</p>

Links

Dan Crowley

<p>Dan is an independent researcher and lecturer, and also works for Core Security Technologies. Most of his free time is spent playing around with Web-based technologies or locks. Dan was the winner of the "Gringo Warrior" lock bypass competition at Shmoocon V and plans to compete again at Shmoocon VI.</p>


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats