The dark side of NTFS and Alternative Data Streams.
I was reading the article Tony linked to about the dangers of Windows-based rootkits. And in one paragraph they mention that a average programmer has the skills to develop a kernel mode root kit for Windows. It made me remember a article I read about alternative data streams and NTFS.
Alternative data streams were originally designed, I beleive, to acheive a high amount of compatability with Apple's HFS filing systems. Apple's stuff has a fairly unique property that they store a large amount of metadata with a file, along with the actual data the file contains. (file location on the screen, last program used to open file, icon information, etc etc) In other file systems that don't support this (like Ext3) that you want to use to serve files to Apple systems you end up with these ._filename to go with the individual files to support this metadata. (can be a big pain in the rear, you have to clean these out often)
So NTFS ADS was originally designed to provide compatability and/or allow for more advanced file system features and complex metadata.
However it never realy went anywere. Most support for it was dropped and it just became one of those features that never got used. Well at least for the Win32 API, which was added onto the NT stuff to make it a desktop OS. No support for ADS at all.
This has lead to the perverse situation were you can actually store programs and files inside other file's ADS's and the end user has no way to know that they exist. You can even stick data into directories.. even C:\!
This is a simple example that I use to show off. You have to be running NTFS.. And you use full paths.
copy C:\winnt\notepad.exe C:\notepad.exe
type notepad.exe > randumb.txt:nd.exe
now you can still execute that notepad.exe program from within the text file..
Or something like that. Usually takes a couple tries to remember everything from scratch, but it's not difficult. Then I open up explorer and show that there is no way to detect the np.exe. Even checking file sizes and such will not show anything.
Ironicly you do use ADS now in Windows XP SP2, I beleive, for part of their security model. It's used to store the metadata that Windows uses for zones of control and such.
It puts the 'zone' information in Zone.Marking like such: filename:zone.marking
I originally learned about the nastiness of hidding files in alternative data streams from a article written by a H. Carvey called "The Dark Side of NTFS (Microsoft’s Scarlet Letter)" from the following. http://www.infosecwriters.com/texts.php?op=display&id=53
He has a better overview and more information. He also points to a usefull program called lads.exe that will help show information about a file's alternative data streams.
This article mentions a bit about Zone.Marking: http://redmondmag.com/columns/article.asp?EditorialsID=716
This page is a FAQ about NTFS from the writer of lads.exe, Frank Heyne http://www.heysoft.de/en/software/lads.php?searchresult=1&sstring=ntfs#wb_21
I find this sort of thing very interesting. Reiserfs v4 is suppose to have a similar feature. It allows a file to be both a file AND a directory at the same time. So you could have a file randumb.txt, but then stick a text file containing metadata into randumb.txt/metadata.randumb.txt or something like that. It would allow similar functionality to HFS+ for any programs that may want to take advantage of it. I could see similar security issues with it, I suppose.
Do a search for 'Files That Are Also Directories' in this page: http://www.namesys.com/v4/v4.html (page gone, sorry)
I hope they were a bit smarter about the possible security issues then MS originally was with NTFS!
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
Increase ad revenue 50-250% with Ezoic
More Articles by Drag Sidious © 2011-04-09 Drag Sidious