CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.3  The Web            9  2.3.3  Instant Messaging

IM Software Flaws 1 2.3.3.3  Packet Sniffing

Briefly, the term “8.3 naming convention” harkens back to the days of old, when MS-DOS only permitted filenames of the form AAAAAAAA.BBB (that is, up to 8 characters, followed by a period, followed by up to 3 more).

Later, Microsoft introduced long file names, but kept in Windows the ability to refer to each file by a short, or 8.3, name. For example, you might see a folder called “Program Files” on a Windows system. Its “8.3 name” is typically “PROGRA~1”. Windows knows how to translate from one name to the other, and will accept either name for that folder, when accessing it. Why? This is done to maintain compatibility with (the now nearly 10 years old) application programs which were written in the old 8.3 days, and only understand file names if they’re in the 8.3 format. The fact that some programs still truncate file names to fit this convention (particularly the suffix, the 3 characters), has occasionally been used by crackers to sneak by an access control rule, getting it to allow access to a file which should not be accessible by having the rule check for access to a file of one name (either the long or 8.3 name), and the actual access occur to the OTHER file, due to a bug in the program’s code.

Additionally, Windows files are not limited to containing a single “.” followed by a three-letter extension. A filename like “my.doc.exe” is perfectly legal. And this gives rise to another type of security issue which we covered briefly when discussing email-related vulnerabilities. Some programs start at the beginning of a filename, look for a dot, then take the next three characters as its extension, or file type. Why is this not good from a security standpoint? What if your mail program’s settings allow users to open files of type “doc” but not of type “exe”? Is a file named “my.doc.exe” going to be looked at as a .doc file or an .exe file, by the mail program, when checking to see if the user is allowed to open it? Or if the mail program is set to ask the user whether or not they want to open the file, with the email client ask the user if the file “my.doc.exe”, or just “my.doc”, should be opened? Generally, the only way to know for sure is to test it.

More than one Trojan horse has been distributed by not adhering to conventional naming, e.g., watchthisporn.jpg.exe etc.²⁰⁷ For instance, the infamous ILOVEYOU virus spread by claiming to contain an attachment whose name displayed in Outlook as LOVE-LETTER-FOR-YOU.txt.

In reality the attachment that millions of users opened was named LOVE-LETTER-FOR-YOU.txt.vbs, and when opened, it ran a script that propagated the virus. It’s also made its way onto the Kazaa file-sharing service, disguised as everything from videos to other executables²⁰⁸.

The fact that data files can be known by multiple names, a full long name, and a shorter name modified to fit into the old 8.3 naming convention, can enable malicious users to through defenses which may have restricted access to a file under one of its names, but not the other²⁰⁹.

IM Software Flaws 1 2.3.3.3  Packet Sniffing