NT case insensitive filename problems

Summary
Description:]You can create trojan directories in all lowercase, which will in some cases be accessed before the Mixed case directories and files NT likes to create.
Author:Paul Ashton <paul@ARGO.DEMON.CO.UK>
Compromise:This has the potential to cause an administrator level compromise.
Vulnerable Systems:Windoze NT 4.0
Date:4 July 1997
Notes:Paul Ashton also suggested the idea of creating a trojan parallel help directory, with hard links to all the original Help files, except one could call a special DLL to compromise NT. Also not that the POSIX subsystem doesn't need to be installed. You can create a files of the same name but different case by calling the Win32 function CreateFile() with the FILE_FLAG_POSIX_SAMANTICS flag specified (also noted by Paul Ashton).
Details


Date: Fri, 4 Jul 1997 19:09:58 +0100
From: Paul Ashton <paul@ARGO.DEMON.CO.UK>
To: NTBUGTRAQ@RC.ON.CA
Subject: Files with the same name

It appears to be very difficult to use NT without giving at least
ADD access to \WINNT.

The POSIX subsystem allows files and directories to exist with the
same name and different case, let's say Profiles and profiles.

The win32 subsystem appears to use the lower case version before
the mixed case one.

Therefore anybody can create a shadow directory of the real one
with trojan versions of the same files and have them used in
preference to the real one.

Solution? Change all your files and directories to lower case?
Don't allow anything more than read access to any shared directory?

Paul

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: