logo

Improper Handling of Windows ::DATA Alternate Data Stream

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application fails to properly secure or monitor Windows Alternate Data Streams (ADS), allowing them to be used to hide or bypass security controls.

Extended Description

Attackers can exploit Alternate Data Streams (ADS) to conceal malicious files or data within a file's metadata, effectively hiding it from standard system tools. For example, a file that appears normal in Windows Explorer or when listed with the `dir` command might secretly contain executable code or stolen data stored in an attached stream, evading detection based on file size or name. Beyond hiding data, ADS can be used to circumvent access restrictions tied to the main file. If an application only validates or secures the primary data fork, an attacker might read from or write to the alternate stream to leak information or plant a backdoor, bypassing the intended security policy.
Common Consequences 1
Scope: Access ControlNon-RepudiationOther

Impact: Bypass Protection MechanismHide ActivitiesOther
Potential Mitigations 2
Phase: Testing
Software tools are capable of finding ADSs on your system.
Phase: Implementation
Ensure that the source code correctly parses the filename to read or write to the correct stream.
Observed Examples 2
CVE-1999-0278In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.
CVE-2000-0927Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.
References 2
Windows NTFS Alternate Data Streams
Don Parker
16-02-2005
https://seclists.org/basics/2005/Feb/312(2023-04-07)
ID: REF-562
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
ID: REF-7
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Functional Areas
  1. File Processing
Affected Resources
  1. System Process
  2. File or Directory
Related Weaknesses
ChildOf: Improper Handling of File Names that Identify Virtual Resources (CWE-66)
Taxonomy Mapping
  • PLOVER
Notes
TheoreticalThis and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.