 |
 |
|
November 10, 2003The Dark Side of NTFS (Microsoft’s Scarlet Letter)If you run on a Windows platform you no doubt have heard about NTFS. Its a fast, stable and secure file system that has worked great since the old NT 3.51 days. This morning I read an excellent article on NTFS Alternate Data streams (ADs), and how they can be used as an attack vector to hide malicious code. This isn't new, but I like how its described in the article. If you didn't know, you can hide alternate data in a NTFS file. This little trick has been used in the past for indexing files, store secondary data and even used to store particular security tag information (this was a very weak approach, which was quickly dropped). There is a good example of how to create hidden ADs, so I won't bore you here. Instead I will comment on its use. If you were to write out a malicious code segment into an ADs, the presentation layer of the operating system won't see it. Don't believe me? Watch this: c:\> echo Alice knows Bob's secret > foo.txt Ok, so we know its 28 bytes. Now watch this. c:\> echo Alice know's Bob's secret > foo2.txt:hidden Thats right you read that correctly. 0 bytes. The system doesn't see it. Can you see the possibilties here? You can easily hide an attack script in the ADs and execute arbitrarily later. The article shows a few examples where using the built in WSH scripting engine (on by default in XP BTW *shutter*) to do just that. What is worse is that most (read: All but 1 or 2 I believe) anti-virus products in the field do NOT scan ADs for malicious code, which means some meathead will eventually embed their virii within the alternate data stream. Yippe. :( Today I placed a "Request for Engineering Change" order in my IPS for a next release. (Not the version currently in RC1) I think I am going to add a checkbox to "Deny all alternate data stream reads" and "Deny all alternate data stream writes" to prevent my clients from getting nailed by this. When I get back from my trip to Microsoft I will need to test this first and make sure the OS isn't doing some hidden stuff with ADs that may be compromised if I ship this enabled. If it all works out, I will stop this in kernel mode right at the I/O manager. Gotta love ring0! Fun stuff. Enjoy the article. Posted by SilverStr at November 10, 2003 08:37 AM | TrackBackComments
It's already happening. The latest variant of CoreFlood used ADS with devastating effect. http://bmonday.com/posts/321.aspx Beau Posted by: Beau Monday at November 11, 2003 11:10 AMInteresting post, and blog. I have added you to my aggregator. Today I showed some people at Microsoft about this. Hopefully some good will come of it. Posted by: SilverStr at November 11, 2003 08:47 PM |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
June 2006
May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
