In Windows systems, path and filename normalization routines have some interesting quirks. One file can be referred to with many different filepaths; some are well known, and some are not. The lesser known ways to refer to files are not often considered when designing security mechanisms. By referring to files in these strange ways one can, in many circumstances, cause unexpected behaviour in systems which do not account for alternate prefixes, aliases and mangled versions of filenames. In this presentation, I will show some of these quirks with a live demonstration on real products and how techniques based on these quirks can be used to bypass filters and access control mechanisms, evade IDS detection, alter the way that files are handled and processed, and make brute force attacks to enumerate files easier.
Dan is an independent researcher and lecturer, and also works for Core Security Technologies. Most of his free time is spent playing around with Web-based technologies or locks. Dan was the winner of the “Gringo Warrior” lock bypass competition at Shmoocon V and will be speaking at Shmoocon VI.