Windows ::DATA Alternate Data Stream
Thank you for visiting OWASP.org. We have migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
Description
The NTFS file system includes support for alternate data streams. This
is not a well known feature and was included, primarily, to provide
compatibility with files in the Macintosh file system. Alternate data
streams allow files to contain more than one stream of data. Every file
has at least one data stream. In Windows, this default data stream is
called :$DATA.
Windows Explorer doesn’t provide a way of seing what alternate data streams are in a file (or a way to remove them without deleting the file) but they can be created and accessed easily. Because they are difficult to find they are often used by hackers to hide files on machines that they’ve compromised (perhaps files for a rootkit). Executables in alternate data streams can be executed from the command line but they will not show up in Windows Explorer (or the Console). Reference Example 1 for information on creating and accessing alternate data streams.
Since the :$DATA alternate stream exists for every file it can be an
alternate way to access any file. Reference Example 2 for information on
accessing the :$DATA alternate data stream in a text file. Any
application that creates files or looks at or depends on the end of the
file name (or the extension) should be aware of the possibility of these
alternate data streams. If unsanitized user input is used to create or
reference a file name an attacker could use the :$DATA stream to change
the behavior of the software. A well-known vulnerability of this nature
existed in older versions of IIS. When IIS saw a request for a file with
an ASP extension it sent the ASP file to the application associated with
the extension. This application would run the server-side code in the
ASP file and generate the HTML response for the request. Due to a flaw
in the extension parsing of these versions of IIS, filename.asp::$DATA
did not match the extension and since there was no application
registered for the asp::$DATA extension, the asp source code was
returned to the attacker.
Proper user input sanitation is the best defense against this type of attack.
Examples
Example 1 - Creating Alternate Data Streams
C:\> type C:\windows\system32\notepad.exe > c:\windows\system32\calc.exe:notepad.exeC:\> start c:\windows\system32\calc.exe:notepad.exe
Example 2 - Accessing the :$DATA Alternate Data Stream
C:\> start c:\textfile.txt::$DATA
Example 3 - Exploiting the ASP Alternate Data Stream Show Code Vulnerability
Normal access:
http://www.alternate-data-streams.com/default.asp
Show code bypass accessing the :$DATA alternate data stream:
http://www.alternate-data-streams.com/default.asp::$DATA
In the vulnerable versions, IIS parsed the extension of this file as
asp::$DATA, not ASP. As such the application associated with the ASP
extension was not invoked and the ASP source code was viewable by the
attacker.