NTFS – How to Bypass Path Restrictions with Alternate Data Streams

Windows systems come with the Alternate Data Streams (ADS) feature that is supported by NTFS (Windows New Technology File System).

With ADS, you can fork data into an existing file without changing its size or functionality. You can use DOS commands, such as type to create ADS, alongside redirects [>] and colon [:] to fork one file into another.

Besides its benefits, hackers can compromise the ADS feature and penetrate into your system.

In this article, we’ll talk about how to use Alternate Data Streams to bypass path restrictions.

Storing NTFS files

Here is the format for storing NTFS files:

<filename>: <stream-name>:<type>

For example, by creating a file and naming it as Sample.txt, it will be stored as Sample.txt::$DATA because the stream name is empty and $DATA is the default type.

The loophole that exists in the creation of folders without permissions can enable this to be changed to INDEX_ALLOCATION, which may end up creating a directory.

You can also store data using Alternate Data Streams. For example, with Sample.txt you can use Sample.txt::$DATA even if the stream name is empty.

You can also do the same by changing it to Sample.txt:foo or Sample>txt:$DATA, which involves the same default type.

You can use a different name for file stream and store files depending on their origin. For example, if a file is downloaded from the Internet or email, Windows will add a Zone identifier to it via the stream name.

The zoning is what brings the popup dialog when you want to execute such a downloaded file.

For example, a file named Firefox.exe has an additional identifier as Firefox.exe:Zone.Identifier:$DATA, meaning that the stream names are visible using the /r switch alongside the dir command

The above command proves that you cannot read the Zone Identifier command via the command prompt.

It is recommended to omit the $DATA type when reading the file via notepad. What matters is that we can store data in ADS alongside their applications.

In our case, Firefox can be copied into an ADS and executed via the Windows Management Interface Command (WMIC).

NOTE: This vulnerability was reported to Microsoft and they made an update on WMIC process requests.

Bypassing path restrictions

ADS can be used to hide data when you use the dir command without the /r switch. ADS can also be used to create folders.

Creating folders is only possible if you own the “create folder” permission on the directory and that you will not use a number as the folder name.

The fact remains that an ADS on a folder is the same as a file from the parent folder.

When using Windows, any user cannot create files inside the C:\Windows, unless they are an administrator.

This scenario makes applications accessing drive C:\Windows to assume that files coming in are trusted; because of the assumptions that only admins can access this part of the system.

Normal users can use the C:\Windows\Tracing folder, which allows for the creation of both folders and files.

As an example, if a user writes to C:\Windows\Tracing:Sample.dll, this path passes to the Windows Application Programming Interface (API) that calculates the base folder, starting at the end of the path and going backwards until it finds the first \.

Then, it will read everything on the left of \ before being returned to the base folder. The result of C:\Windows|Tracing\:Sample.dll will be C:\Windows\ as base.

As already stated, a normal user cannot create files in this folder but use the trick shown here, which gives the impression that it has been stored in C:\Windows.

This behavior is applicable when bypassing some applications and whitelisting solutions that go through security checks.

For instance, if you have an application that allows the uploaded data to be stored in \uploadedData\, the application should start running scripts / application from the applicationFolder, and not the applicationFolder/ uploadedData.

A user who decides to upload a file by the name :foo.Sample can instruct the system to create an ADS in the applicationFolder\uploadedData:foo.Sample, and the file will look as if it’s stored in the application Folder\, which can enable the bypassing of security checks.

Another important aspect in ADS naming is the symbols used in filenames. Such symbols include and  *. This will force files to be created using the native Windows API because the cmd.exe filters the two symbols.

Filenames with symbols or those enclosed using the (quotation mark) may lead to several problems.

Dangers of ADS

If a website is running on Internet Information Services (IIS) and allows the uploading of files, it can be prone to Cross Site Request Forgery (CSRF) attacks.

Furthermore, if the process of uploading new files is not sanitized, the website may be susceptible to an injection attack, such as cross-site scripting attacks (XSS).

This scenario explains why file names should not have some symbols such as < or >. Since ADS can have the symbols, an attacker can send files and upload requests for filenames with ADS.

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *