|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Alert: ASP vulnerability with Alternate Data Streams
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: Alert: ASP vulnerability with Alternate Data Streams
- From: "Bill Potvin, II" <bpotvinMERXSOFT.COM>
- Date: Thu, 2 Jul 1998 12:12:19 -0400
- In-Reply-To: <199807021448.KAA13251mx01.erols.com>
- Reply-To: "Bill Potvin, II" <bpotvinMERXSOFT.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
<< The only "pre-defined" stream available on any file is the ::$INFORMATION_SECURITY stream. >> *IF* you are talking about File Records in the Mft, then in my experience this is incorrect. It appears that all *non-extension* records will always have: $STANDARD_INFORMATION $FILE_NAME $SECURITY_DESCRIPTOR (I assume this is the stream you named) They may also always have a $DATA attribute, albeit empty. But, I'd have to go scan again to be sure. "Extension" Records appear to only contain the attributes that wouldn't fit in the base record. If a base record has too may attributes to fit on the record, then an $ATTRIBUTE_LIST will be created, whose data contains a list of *all* the attributes on the file along with the record number containing them. An extension record can be identified by the presence of a "BaseRecordNumber" value in the record header, in addition to the fact that it doesn't have $STANDARD_INFORMATION, $FILE_NAME or $SECURITY_DESCRIPTOR attributes. Of course, this is Ntfs Version 1, too. I've been too busy to get into Version 2, but I know that there are some differences. regards, bill.
- Prev by Date: ::$DATA IIS ISAPI filter
- Next by Date: ASP vulnerability with Alternate Data Streams
- Prev by thread: Alert: ASP vulnerability with Alternate Data Streams
- Next by thread: ::$DATA IIS ISAPI filter
- Index(es):