SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/

#MagicDot #CVE_2023_42757 #CVE_2023_32054 #CVE_2023_36396