]You can create trojan directories in all lowercase, which will in some cases be accessed before the Mixed case directories and files NT likes to create.
Paul Ashton <paul@ARGO.DEMON.CO.UK>
This has the potential to cause an administrator level compromise.
Windoze NT 4.0
4 July 1997
Paul Ashton also suggested the idea of creating a trojan parallel help directory, with hard links to all the original Help files, except one could call a special DLL to compromise NT. Also not that the POSIX subsystem doesn't need to be installed. You can create a files of the same name but different case by calling the Win32 function CreateFile() with the FILE_FLAG_POSIX_SAMANTICS flag specified (also noted by Paul Ashton).
Date: Fri, 4 Jul 1997 19:09:58 +0100
From: Paul Ashton <paul@ARGO.DEMON.CO.UK>
Subject: Files with the same name
It appears to be very difficult to use NT without giving at least
ADD access to \WINNT.
The POSIX subsystem allows files and directories to exist with the
same name and different case, let's say Profiles and profiles.
The win32 subsystem appears to use the lower case version before
the mixed case one.
Therefore anybody can create a shadow directory of the real one
with trojan versions of the same files and have them used in
preference to the real one.
Solution? Change all your files and directories to lower case?
Don't allow anything more than read access to any shared directory?
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: