What are Alternate Data Streams?

Alternate Data Streams is a feature supported by NTFS (New Technology File System) Windows-proprietary filesystem. With NTFS, all files contain at least one stream, but it is possible to associate alternate streams or contents to that file. When you open a file, you are accessing the main stream of the file, but using a specific syntax, you can access an alternate stream. ADS are also known as NTFS streams.

If it helps you to understand this concept, try to think of the NTFS file as a container with multiple compartments. The container will be the file name, and each of the compartments will be a stream. Unless stated otherwise, when accessing the container, you’ll open the default compartment which is the standard behavior when you open a file on Windows.

Why should I care about ADS?

As penetration testers, using ADS could allow us to bypass the expected behavior of the applications. Take in account that NTFS streams are fully integrated by Windows, which also imply that most of the web components build on top of it supports it (e.g. PHP/Java), even if the developers are not aware of that.

Therefore, using the ADS format could help us during our penetration testing activities, as the input validation controls might not be expecting a filename using the NTFS stream format.

Moreover, over the years multiple vulnerabilities have been identified on different products. For example, IIS has had a couple of vulnerabilities relating to ADS (see CVE-1999-0278 and CVE-2010-2731), but what makes things interesting is that the previous vulnerabilities were reported over 10 years apart!. So in short, this feature has been abused by attackers and security researchers over a period of 10 years(!).

Which are the internal details of ADS?

It seems that NTFS streams were added by Microsoft in order to support the Macintosh Hierarchical File System and the ReFS and Universal Disk Format (UDF) file systems also supports this feature.

You should note that NTFS streams will be lost if you copy files to a file system that doesn’t support them (e.g. FAT). If you need more details, feel free to read the Microsoft documentation here.

As you will see below, NTFS streams are also present on directories, which are a special case. However, as far as I know, its main limitation is that custom streams cannot be created within directories, so we will be limited to reading or deleting directories using the default system stream name.

Basically, the syntax required to access a NTFS stream is the following:

<name>:<stream_name>:<stream_type>

• name refers the the resource, it can be a file (e.g. document.txt) or a folder (e.g. Windows)
• stream_name is the name of our compartment, when working with files, an empty stream name indicates the default stream, when dealing with folders, the default stream name will be “$I30″
• stream_type will be always $DATA when dealing with files or $INDEX_ALLOCATION for folders

When the stream_name is omitted, you are accessing the main stream. For example, the following NTFS streams are equivalent:

• myfile.txt
• myfile.txt:
• myfile.txt::$DATA

In the case of directories, the following NTFS streams are equivalent:

• mydir
• mydir:$I30:$INDEX_ALLOCATION
• mydir::$INDEX_ALLOCATION

How to create ADS

echo "test" > myfile:stream
mkdir "myfolder:$I30:$INDEX_ALLOCATION"

How to read ADS

more < myfile:stream
more < myfile:stream:$DATA
dir C:\Windows:$I30:$INDEX_ALLOCATION

How can I enumerate NTFS data streams on Windows?

Powershell

get-item -Path d:\* -Stream *

Vista and above

dir /r

Sysinternals

streams -s c:

Which ADS should I focus while doing penetration test?

In short, focus should be put in the following elements:

Files

The following NTFS streams might help us to bypass the input validation routines when writing/reading files:

• myfile.txt::$DATA (Contains the data stored on myfile.txt)
• myfile.txt:stream:$DATA (Contains the data stored on the ADS called “stream”, which is located on myfile.txt)

Directory

The following attack vectors might allow us to enumerate folders in the remote server or, depending on the implemented input validation routines, perform a more dangerous attacks:

• directory::$DATA
• directory:$I30:$INDEX_ALLOCATION
• directory::$INDEX_ALLOCATION

Summary

This post explained what NTFS streams are, providing the necessary background to understand attacks using this NTFS feature. In the next post we’ll see some examples of potential vulnerabilities that we might expect to see in real-life applications.

The post NTFS Alternate Data Streams for pentesters (part 1) appeared first on Portcullis Labs.