Alternate Data Streams (ADS) have been present in modern versions of Windows for a long time. If you are using a NTFS filesystem, you can bet that you are using them. As penetration testers, we can use that OS-specific feature in our advantage. In the following posts information required to understand and identify potential ADS-related issues will be provided. This post will provide the required background to understand some common scenarios that could be useful during the penetration testing engagements.
What are Alternate Data Streams?
Alternate Data Streams is a feature supported by NTFS (New Technology File System) Windows-proprietary filesystem. With NTFS, all files contain at least one stream, but it is possible to associate alternate streams or contents to that file. When you open a file, you are accessing the main stream of the file, but using a specific syntax, you can access an alternate stream. ADS are also known as NTFS streams.
If it helps you to understand this concept, try to think of the NTFS file as a container with multiple compartments. The container will be the file name, and each of the compartments will be a stream. Unless stated otherwise, when accessing the container, you’ll open the default compartment which is the standard behavior when you open a file on Windows.
Why should I care about ADS?
As penetration testers, using ADS could allow us to bypass the expected behavior of the applications. Take in account that NTFS streams are fully integrated by Windows, which also imply that most of the web components build on top of it supports it (e.g. PHP/Java), even if the developers are not aware of that.
Therefore, using the ADS format could help us during our penetration testing activities, as the input validation controls might not be expecting a filename using the NTFS stream format.
Moreover, over the years multiple vulnerabilities have been identified on different products. For example, IIS has had a couple of vulnerabilities relating to ADS (see CVE-1999-0278 and CVE-2010-2731), but what makes things interesting is that the previous vulnerabilities were reported over 10 years apart!. So in short, this feature has been abused by attackers and security researchers over a period of 10 years(!).
Which are the internal details of ADS?
It seems that NTFS streams were added by Microsoft in order to support the Macintosh Hierarchical File System and the ReFS and Universal Disk Format (UDF) file systems also supports this feature.
You should note that NTFS streams will be lost if you copy files to a file system that doesn’t support them (e.g. FAT). If you need more details, feel free to read the Microsoft documentation here.
As you will see below, NTFS streams are also present on directories, which are a special case. However, as far as I know, its main limitation is that custom streams cannot be created within directories, so we will be limited to reading or deleting directories using the default system stream name.
Basically, the syntax required to access a NTFS stream is the following:
- name refers the the resource, it can be a file (e.g. document.txt) or a folder (e.g. Windows)
- stream_name is the name of our compartment, when working with files, an empty stream name indicates the default stream, when dealing with folders, the default stream name will be “$I30″
- stream_type will be always $DATA when dealing with files or $INDEX_ALLOCATION for folders
When the stream_name is omitted, you are accessing the main stream. For example, the following NTFS streams are equivalent:
In the case of directories, the following NTFS streams are equivalent:
How to create ADS
echo "test" > myfile:stream mkdir "myfolder:$I30:$INDEX_ALLOCATION"
How to read ADS
more < myfile:stream more < myfile:stream:$DATA dir C:\Windows:$I30:$INDEX_ALLOCATION
How can I enumerate NTFS data streams on Windows?
get-item -Path d:\* -Stream *
Vista and above
streams -s c:
Which ADS should I focus while doing penetration test?
In short, focus should be put in the following elements:
The following NTFS streams might help us to bypass the input validation routines when writing/reading files:
- myfile.txt::$DATA (Contains the data stored on myfile.txt)
- myfile.txt:stream:$DATA (Contains the data stored on the ADS called “stream”, which is located on myfile.txt)
The following attack vectors might allow us to enumerate folders in the remote server or, depending on the implemented input validation routines, perform a more dangerous attacks:
This post explained what NTFS streams are, providing the necessary background to understand attacks using this NTFS feature. In the next post we’ll see some examples of potential vulnerabilities that we might expect to see in real-life applications.