Windows file system exploitation at ShmooCon

At ShmooCon 2010 tomorrow, Core Security researcher Dan Crowley will demonstrate how features not widely known in Windows path and filename normalization routines cause unexpected behavior and allow for potential attacks.

Crowley will specifically highlight how an attacker may be able use the technique to bypass filters, access control lists, intrusion detection systems and other defensive mechanisms, as well as alter the way that files are handled and processed, and make brute force attacks to enumerate files far more easily.

“The devil really is in the details here,” said Crowley. “And with incomplete and sometimes vague documentation and the lack of source code available for an operating system that has been built and changed over the course of close to two decades now, there are lots and lots of details, most of which need to be understood before appropriate security mechanisms can be designed.”