Most Windows file system vulnerabilities are related to improperly set permissions. However, there have been other notable vulnerabilities and exploits. The following are the most common.
This is by far the biggest file-system-related security problem. By default, the Everyone group can read a share, and the Users group can read a folder or file. This means insiders could use tools like FileLocator Pro, Agent Ransack, or Effective File Search to search the network for files with sensitive information. Additionally, a tool like NTFSDOS can be used along with physical access to the machine to bypass NTFS permissions.
You can also use Metasploit module post/windows/gather/file_from_raw_ntfs to bypass some restrictions such as locks on open files. This allows the attacker to retrieve otherwise uncopyable files such as the Active Directory database ntds.dit.
Alternate Data Streams (ADS)
Microsoft included ADS in the NTFS file system for compatibility with the Macintosh HFS file system. It can be abused, however, because you can use it to hide files in the file system. The drive might report less free space, but the hidden files cannot be viewed or listed through normal means.
A simple example of using ADS is C:\>echo "Super secret info" > test.txt:hidden.txt. This creates an empty file called test.txt, while simultaneously creating a hidden file called hidden.txt. The hidden file has the secret message. To view the secret message, you could use a text editor; for example, C:\>notepad.exe test.txt:hidden.txt. You can use this to hide whole video files if desired.
You can also use tools such as LADS, Streams, or PowerShell Get-Item and Set-Content cmdlets to create, view, and manipulate ADS files.
Unquoted Service Paths
This is potentially a very powerful vulnerability. It takes advantage of file paths that have spaces in the names, and can be used to hijack DLLs and other executables. Consider the following example:
The path has a space between Gaming and Group. If this path is not surrounded in quotes, for example "C:\Gaming Group\coolgames\mygame.exe", then Windows will stop at the space to see if it can execute the name before the space. In this case, Windows would try to launch an executable named C:\Gaming.exe.
A variant of this is DLL hijacking, in which the path to any DLLs called by the application could be abused in a similar manner. If the application is a service that starts with Local System privilege, then your malicious version can do just about anything because it too would start with that privilege level.
You can search for services that have this vulnerability using:
- Metasploit module exploit/windows/local/trusted_service_path
- PowerSploit Get-ServiceUnquoted cmdlet
- WMIC query wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””
Note: For more information on unquoted service paths, see https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/s://pentest.blog/windows-privilege-escalation-methods-for-pentesters/, https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/
Weak or Nonexistent Encryption
Historically, Windows files were not encrypted by default. They might have permissions that require SYSTEM privilege, or be in a format that you can't open with a text editor, or have their data hashed or encrypted, but the files themselves were not encrypted. There have been several attempts to correct this:
- NTFS encryption—Encrypts NTFS access to files and folders. Can be bypassed using tools like ER Commander and NTFSDOS.
- SYSKEY to encrypt the SAM—A special boot disk such as Ultimate Boot CD for Windows or Offline NT Password & Registry Editor can delete it.
- Encrypting File System (EFS)—Uses multiple keys to encrypt/decrypt files. Only works on that local file system. Encrypted files that are transmitted across the network, or copied to an unencrypted location, are unencrypted before they are copied or sent. Some commercial tools also dump the file from memory. If the system crashes while you are working on an encrypted file, a cleartext version of the file is saved in the crashdump.
- BitLocker—Encrypts the whole drive. Files on the drive stay encrypted, even in use. Data from the files, however, are decrypted as they are loaded into memory. There are commercial forensics tools that can be used to dump loaded content from RAM.
Here are some common code vulnerabilities:
- NTFS 3.1 Master File Table DoS Exploit—Currently no CVE. This exploits a vulnerability in the Windows Master File Table. Specially crafted HTML will cause a browser to try to access a non-existent file. The browser will hang and then the entire system will become unresponsive. Affects Windows XP - 8.1. https://www.exploit-db.com/exploits/42253/s://www.exploit-db.com/exploits/42253/.
- Windows 10 NTFS Owner/Mandatory Label Privilege Bypass Escalation of Privilege Exploit—CVE-2018-0748. Circumvents security checks allowing a non-admin user to set the security descriptor on a file with non-standard values. https://www.exploit-db.com/exploits/43514/s://www.exploit-db.com/exploits/43514/.
- Windows NTFS DoS Exploit—Currently no CVE. This exploit generates a Blue Screen of Death using a handcrafted NTFS image. Affects Windows XP through 10, Server 2012 R2. https://github.com/mtivadar/windows10_ntfs_crash_doss://github.com/mtivadar/windows10_ntfs_crash_dos.
Note: There are currently additional Windows file system code vulnerabilities, but as yet no exploits for them have been found in the wild.