NTFS Alternate Data Streams can be used to bypass some path-based security checks

Discussion in 'other security issues & news' started by MrBrian, Jun 17, 2015.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Abusive Directory Syndrome:
    Streams can contain executable content, although some operating systems try to block some methods of execution of stream content. For more info, see http://hinchley.net/2013/11/01/ntfs-alternate-data-streams/. Rundll32.exe doesn't block execution of stream DLL content though, according to https://phrozensoft.com/2015/06/phrozen-ads-revealer-catch-alternate-data-stream-2.

    Some types of security checks that might be bypassed:
    1. User Account Control UIAccess secure folder check.
    2. AppLocker path-based exceptions. The POC in the link in 1. runs a stream-located executable in c:\windows\tracing, even though my AppLocker rules explicitly ban execution in that folder.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    Is this the one fixed in Windows 10?

    I followed POC steps but keep getting Status 0 Error 8235 on Windows 10.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I doubt it's been fixed in Windows 10 but I don't know for sure. From https://code.google.com/p/google-security-research/issues/detail?id=220:
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I wonder how common it is for apps to use ADS? SpyShelter does monitor it.
     
Loading...