Windows Filesystem: How to Hide the Destination of a Directory Junction

Directory junctions are critical NTFS features on Windows that hide security vulnerabilities from would-be attackers. Junctions can help in creating symbolic links using normal privileges.

The best vulnerability that can exploit directory junctions is the AVGater, which works by abusing the ability of users to restore dangerous files that antivirus products have quarantined.

For example, the vulnerability can take place when a file is placed inside a folder X, and the antivirus solution marks the file as a virus, and moves it to the quarantine folder.

Thereafter, if the previously quarantined file is restored, the attacker can trick it into an arbitrary directory, which is not its original location.

The attacker can transfer the quarantined file to a hidden location on the host system, leading to abuse of the SYSTEM permissions and causing extensive damages.

Directory junctions can be misused if the target has time-of-check to time-of-use (TOCTOU) vulnerabilities.

You can also create a directory junction using the mklink utility, alongside the /J argument. It will now be possible to combine this with the ::$INDEX_ALLOCATION trick to create a directory junction with the name “…”

As you can see on the example above, the first directory was created using the normal name, which explains why destination is correctly shown in the dir output.

In the second junction, the target is absent and shown as […]. You can have your first junction to point to the second one, which also points to the third junction—until the last one points to the actual destination.

The paths are obviously confused; you can enter the junction using cd …\…\ that must be inside the System 32 folder. Remember the directory will point to C:\Test\

With the dir command, you can output files found on the System32 folder. The first command above created the Hello.bat file in C:\Test\

From the screenshot above, the Hello.bat command is shown to come from the current directory (.\). It will execute to its content, not what is contained in the C:\Windows\System32\hello.bat.

Since you can set up folders in any way, this can be applied to bypass application whitelisting programs using white scripted files.

This way, hiding the destination of a directory junction becomes possible.

Do you want to prevent unauthorized deletion of directory objects or something similar to this problem?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *