OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Alert: ASP vulnerability with Alternate Data Streams
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Alert: ASP vulnerability with Alternate Data Streams


  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Re: Alert: ASP vulnerability with Alternate Data Streams
  • From: "Bill Potvin, II" <bpotvinMERXSOFT.COM>
  • Date: Thu, 2 Jul 1998 12:12:19 -0400
  • In-Reply-To: <199807021448.KAA13251mx01.erols.com>
  • Reply-To: "Bill Potvin, II" <bpotvinMERXSOFT.COM>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

<<
The only "pre-defined" stream available on any file is the
::$INFORMATION_SECURITY stream.
>>

*IF* you are talking about File Records in the Mft, then in my experience
this is incorrect. It appears that all *non-extension* records will always
have:

$STANDARD_INFORMATION
$FILE_NAME
$SECURITY_DESCRIPTOR (I assume this is the stream you named)

They may also always have a $DATA attribute, albeit empty. But, I'd have to
go scan again to be sure.

"Extension" Records appear to only contain the attributes that wouldn't fit
in the base record. If a base record has too may attributes to fit on the
record, then an $ATTRIBUTE_LIST will be created, whose data contains a list
of *all* the attributes on the file along with the record number containing
them. An extension record can be identified by the presence of a
"BaseRecordNumber" value in the record header, in addition to the fact that
it doesn't have $STANDARD_INFORMATION, $FILE_NAME or $SECURITY_DESCRIPTOR
attributes.

Of course, this is Ntfs Version 1, too. I've been too busy to get into
Version 2, but I know that there are some differences.

regards,
bill.