The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

Originally Published on this site
The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by just basic assumptions on case-sensitiveness during development.

In this 3rd post we focus on the “confusion” technique, where even though the technique is already known (Medium / Tyranidslair), the ramifications of these effects have not all been analyzed yet.

Going back to normalization, some Win32 API’s remove trailing whitespaces (and other special characters) from the path name.

As mentioned in the last publication, the normalization can, in some cases, provide the wrong result.

The common scenario that could be used as “bait” for the user to click, and even to hide what is seen, is to create a directory with the same name ending with a whitespace.

A very trivial example “That’s not my notepad…..”:

The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

Open task manager, Right click on the “notepad” with putty icon -> Properties. (The properties were read from the “non-trailing-space” binary)

Open Explorer on “C:Windows “; it will generate the illusion that the original files (from the folder without trailing whitespace) are there. This will happen for any folder/file not present in the whitespace version.

Screenshots opening a McAfee Agent Folder:

Both folders opened; note that the whitespace version does not have any .dll or additional .exe but Explorer renders the missing files from the “normalized – non-whitespace directory”.

The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

Trying to open the dll…

The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

Getting properties from task manager will fetch those from the normalized folder path, that means you can be tricked to think it is a trusted app.

The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

Watch the video recorded by our expert Cedric Cochin illustrating this technique:

Related Links / Blogs:

https://tyranidslair.blogspot.com/2019/02/ntfs-case-sensitivity-on-windows.html

https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e

The post The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End? appeared first on McAfee Blogs.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.


vox-messenger-secure-corpLogo-60x60

End-2-End Encrypted. Secure. Ad-Free.
Lightweight and Faster than the Competition.

Vox Messenger is a secure alternative to other popular chat messenger apps.

Available for Free. Whitelabel Corporate Edition Coming Soon.

All Rights Reserved - Copyright @ 2018 - Vox Messenger (a Division of Kryotech Ltd.)