Improper Handling of Windows ::DATA Alternate Data StreamID: 69 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The software does not properly prevent access to, or detect
usage of, alternate data streams (ADS).
Extended DescriptionAn attacker can use an ADS to hide information about a file (e.g. size,
the name of the process) from a system or file browser tools such as Windows
Explorer and 'dir' at the command line utility. Alternately, the attacker
might be able to bypass intended access restrictions for the associated data
fork.
Applicable PlatformsLanguage Class: AllOperating System Class: Windows
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_ControlNon-RepudiationOther | Bypass protection
mechanismHide activitiesOther | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Testing | | Software tools are capable of finding ADSs on your system. | | |
Implementation | | Ensure that the source code correctly parses the filename to read or
write to the correct stream. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-69 ChildOf CWE-904 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-1999-0278 : In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.
- CVE-2000-0927 : Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Windows ::DATA alternate data stream | |
References:
- Don Parker .Windows NTFS Alternate Data Streams. 2005-02-16.
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Published on 2003.