NTFS Alternate Data Streams can be used to bypass some path-based security checks

Discussion in 'other security issues & news' started by MrBrian, Jun 17, 2015.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Abusive Directory Syndrome:
    Streams can contain executable content, although some operating systems try to block some methods of execution of stream content. For more info, see http://hinchley.net/2013/11/01/ntfs-alternate-data-streams/. Rundll32.exe doesn't block execution of stream DLL content though, according to https://phrozensoft.com/2015/06/phrozen-ads-revealer-catch-alternate-data-stream-2.

    Some types of security checks that might be bypassed:
    1. User Account Control UIAccess secure folder check.
    2. AppLocker path-based exceptions. The POC in the link in 1. runs a stream-located executable in c:\windows\tracing, even though my AppLocker rules explicitly ban execution in that folder.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Is this the one fixed in Windows 10?

    I followed POC steps but keep getting Status 0 Error 8235 on Windows 10.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I doubt it's been fixed in Windows 10 but I don't know for sure. From https://code.google.com/p/google-security-research/issues/detail?id=220:
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,422
    Location:
    The Netherlands
    I wonder how common it is for apps to use ADS? SpyShelter does monitor it.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.