Vulnerability exploits the distinction between DOS and NT paths
When somebody is requested to kind the trail to a file on a Home windows system, they’re prone to kind one thing of the shape C:directorysubdirectoryfile.txt. This is named a DOS-style file path and has been the commonest strategy to symbolize a file’s location ever because the first Home windows model. It nonetheless stays a typical means that many functions deal with information on Home windows after they need to carry out operations on them.
Nevertheless, ever since Home windows NT there’s one other strategy to symbolize file paths. The NT path equal of the above DOS path could be ??C:directorysubdirectoryfile.txt. You may suppose that’s not a lot of a distinction, and for this specific instance, you’d be proper, however what really occurs is that NT Paths help Unicode, so a bigger variety of characters, in comparison with DOS paths that solely help the ANSI character set.
The difficulty is that WindowsAPI file operation capabilities, which many functions comparable to CreateFile name, really work with NT Paths. If introduced with a DOS path, they may first convert it to an NT Path utilizing a operate referred to as RtlpDosPathNameToRelativeNtPathName. There are a lot of guidelines utilized to this conversion, however two which might be related for Yair’s analysis are the removing of trailing dots from any of the trail parts and the removing of empty house trailing the final aspect.
