Tweet
This was discovered in mid 1998 but as NTFS Alternate Data Streams (ADS) is still so relatively unknown i thought I'd raise awareness of it on this forum for anyone who read my recent post on how to use ADS.
The problem lies in the fact that you can open a filename with "::$DATA" at the end of it and you'll basically be reading the normal file contents. For example,
OPEN "c:\autoexec.bat" FOR BINARY ACCESS READ
is the same as
OPEN "c:\autoexec.bat::$DATA" FOR BINARY ACCESS READ
Florents port of Stream Enum often shows two streams in all files - data, and security. The data one can be accessed by "::$DATA" (and you'll see that the data stream is always the same size as the normal 'parent' filesize), but I'm still not too sure how to read the security one yet, all my guesses have failed.
The ADS webserver vulnerability affects Microsoft Internet Information Server (IIS) versions 1.0, 2.0, 3.0, and even 4.0. It's not known if any other WindowsNT-based webservers are vulnerable, but you would have to think that by default an NT webserver would be vulnerable unless specifically programmed not to read streams, so it seems unlikely that IIS was alone with this vulnerability.
To test your Windows NT webserver for the vulnerability, go to an existing URL and add "::$DATA" to the end, eg:
http://www.victim.com/default.asp::$DATA
Obviously this is useless against .html, but formats such as .asp are server-side source code that should never be sent to the browser.
If the source code for the actual .asp page comes up instead of the source that the .asp should have generated, you're vulnerable, and probably have been for many years!
[This message has been edited by Wayne Diamond (edited November 04, 2003).]
The problem lies in the fact that you can open a filename with "::$DATA" at the end of it and you'll basically be reading the normal file contents. For example,
OPEN "c:\autoexec.bat" FOR BINARY ACCESS READ
is the same as
OPEN "c:\autoexec.bat::$DATA" FOR BINARY ACCESS READ
Florents port of Stream Enum often shows two streams in all files - data, and security. The data one can be accessed by "::$DATA" (and you'll see that the data stream is always the same size as the normal 'parent' filesize), but I'm still not too sure how to read the security one yet, all my guesses have failed.
The ADS webserver vulnerability affects Microsoft Internet Information Server (IIS) versions 1.0, 2.0, 3.0, and even 4.0. It's not known if any other WindowsNT-based webservers are vulnerable, but you would have to think that by default an NT webserver would be vulnerable unless specifically programmed not to read streams, so it seems unlikely that IIS was alone with this vulnerability.
To test your Windows NT webserver for the vulnerability, go to an existing URL and add "::$DATA" to the end, eg:
http://www.victim.com/default.asp::$DATA
Obviously this is useless against .html, but formats such as .asp are server-side source code that should never be sent to the browser.
If the source code for the actual .asp page comes up instead of the source that the .asp should have generated, you're vulnerable, and probably have been for many years!
[This message has been edited by Wayne Diamond (edited November 04, 2003).]