CWE-69 – Improper Handling of Windows ::DATA Alternate Data Stream

Read Time:1 Minute, 12 Second

Description

The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).

An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and ‘dir’ at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.

Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-66

 

Consequences

Access Control, Non-Repudiation, Other: Bypass Protection Mechanism, Hide Activities, Other

 

Potential Mitigations

Phase: Testing

Description: 

Software tools are capable of finding ADSs on your system.

Phase: Implementation

Description: 

Ensure that the source code correctly parses the filename to read or write to the correct stream.

CVE References

  • CVE-1999-0278
    • In IIS, remote attackers can obtain source code for ASP files by appending “::$DATA” to the URL.
  • CVE-2000-0927
    • Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.