NTFS Streams

Back in the late 1990s, if you searched the Internet for "NTFS Streams" or any of its aliases, this article would appear on the first results screen. I was one of the first writers to tell people about this security issue with the Microsoft NTFS file system.

by Ed Sawicki

September 1998

The Windows NT NTFS file system has a feature that is not well-documented and is unknown to many NT developers and most users. This feature goes by a few names. It is often called Alternate Data Streams or ADS amongst the folks who discuss this on the NT security mailing lists and newsgroups. It is called Multiple Data Streams on the Microsoft TechNet CD and in Helen Custer's book INSIDE THE WINDOWS NT FILE SYSTEM. It's also been referred to as Named Data Streams and Forked Data Streams. I'll refer to it as ADS or 'streams'.

Note that all files on a NTFS volume consist of at least one stream - the normal, viewable file that data is stored in. When I use the term stream here, I'll be referring to the alternate named stream that is not viewable to ordinary NT tools.

Security-oriented individuals are concerned about ADS because it appears that it can be exploited by attackers for such things as Denial of Service and virus attacks. Network administrators are concerned about ADS because it is a way for users to store data on a NT server that administrators are not aware of and cannot control.

News about ADS began to surface on various Internet mailing lists and newsgroups in June of 1997. At the time, a Microsoft person who defended ADS minimized its significance and compared the security threat that it represents to hidden DOS files (files with the hidden attribute set). Most others see ADS as a much more serious threat.

A stream is a hidden file that is linked to a normal (visible) file. A stream is not limited in size and there can be more than one stream linked to a normal file. Streams can have any name that complies with NTFS naming conventions. You can easily create a stream with an ADS-aware application such as Notepad. Click on Start|Run and type:

notepad normal.txt:hidden.txt.

The notepad will appear. Enter any text and save the file. Now look at the directory with My Computer or Windows Explorer. You'll see a file called normal.txt with a zero file length. The reason that the file is zero length is because it really is empty. The text you entered into Notepad was saved to the alternate data stream - the file called hidden.txt.

To make this demonstration a bit more dramatic, create another stream with Notepad but this time paste a large amount of data into Notepad. I did this by loading a 2 MB binary file into Notepad and copying the contents to the Clipboard. I then pasted the Clipboard into the ADS file. You can clearly see that 2 MB of disk space is consumed though you can't see the file using this disk space.

Tom Daniels, a researcher at the COAST Laboratory of Purdue University, was kind enough to supply me with simple C++ code that demonstrates how easy it is to work with streams. Working with streams is just as simple as working with normal files. The bad news is that users, virus writers and attackers will find that exploiting ADS is simple. The good news is that manufacturers of virus scanners and security-oriented software will also find it easy to retrofit their products with ADS capability.

Currently, NT is supplied with no tools that can be used by an administrator to get a listing of all the hidden streams on a volume or measure the disk space they consume. A user can easily create streams that the administrator is not aware of. The fact that many NT developers are unaware of ADS and administrators have no way to view ADS creates the following problems and, perhaps, others.

What uses streams?

Microsoft uses streams for Macintosh support. A file stored on a native Macintosh file system consists of both a data fork and a resource fork. The data fork is the part that stores the user's data while the resource fork stores information about the file such as what application was used to create the file. The resource fork allows the Macintosh to always launch the correct application when you select a data file whereas Windows can only do this based on the file's extension.

NT's Macintosh support stores the resource fork portion of files in a NTFS hidden stream. The data fork portion of the file is stored as a normal, visible file. Other than Microsoft's Macintosh support, I'm unaware of other applications that make use of ADS though I'm confident that some do.

Disk Quota products

Since NT 4.0 has no disk quota feature, we must rely on third-party products to restrict user disk space. These disk quota products do not detect ADS and, therefore, cannot restrict disk space consumed by ADS files. Users can use ADS files to get around disk space quotas. NTP Software, makers of Quota Manager for Windows NT, do not support ADS because of the complexity of implementing it and have not had customer requests for it.

Virus scanners

Many vendors of virus scanning products are also unaware of ADS or are just now learning about it. Intel, for example, was unaware of ADS when asked about their support for ADS in their virus scanner product. Intel speculated that a virus-infected stream would still be caught by their virus scanner since it scans every write to disk. Virus scanners that do scheduled or manually-initiated scans and are not ADS-aware would not catch a virus-infected ADS since it is not visible to their scanners.

Symantec folks are aware of ADS and say they can update their Norton AntiVirus product quickly to scan streams for viruses. The product does not do this now because, they say, no known viruses use streams. Data Fellows also says that scanning streams for viruses is irrelevant because no known streams-based viruses have been discovered yet. However, they claim their Gatekeeper program from their F-Secure Anti-Virus for Windows product will catch a virus-infected stream that attempts to launch.

Disk defraggers

Disk defragmentation programs, such as the Diskeeper product from Executive Software, will not defragment the hidden streams. If streams are present on your NTFS volume, you won't be able to completely defragment your volume. This will be a problem if the streams are large and the amount of disk space consumed by streams is large. The performance of your NTFS volumes may suffer considerably because of this.

Macintosh resource forks tend to be small and the fragmentation caused by them may not be too significant. Still, it's best to give Macintosh users their own NTFS volume to minimize the impact of this fragmentation.

Denial of Service attacks

It would be a simple matter for an attacker to conduct a denial of service attack based on ADS. In fact, such an attack has already been demonstrated. One such program continues to create alternate data streams until the disk fills. At that point, the NT operating system crashes. Note that consuming all the disk space of a NTFS volume will produce the same effect regardless of whether normal files or streams are used points out Mikko Hypponen - Manager of Anti-Virus Research for Data Fellows. The difference is with streams the administrator would likely not be able to identify the reason for the failure.

Microsoft IIS

The Microsoft IIS product has a ADS-based weakness. Every file on a NTFS volume consists of at least one stream - the default data stream called :$DATA. IIS considers .ASP files to be scripts that must be executed rather than sent to the user. However, if you access a ASP file by specifying its default stream name, IIS will send you the contents of the file rather than executing the script. Here's an example of how to do this:

https://www.microsoft.com/default.asp::$DATA.

This can be a security concern if the ASP file contains information that will help an attacker compromise your web site.

How to detect streams

March Information Systems in the United Kingdom offers a free downloadable program that will list the names and file sizes of streams. Note that this program could take quite a while to run because it must examine every file on a NTFS volume searching for streams.

Use FAT instead?

Note that streams don't exist on NT's FAT-based volumes. One suggestion put to me was to use FAT partitions rather than NTFS partitions. There are tradeoffs between NTFS and FAT. You should consider these tradeoffs carefully before taking this course of action. At the time that this article was written, Microsoft had just released an ADS patch to solve the IIS problem. Other problems described in this article remain.

Linux?

Linux has no mechanism that is equivalent to NTFS streams nor does it have any mechanism that allows files to be hidden from the administrator.