Creating a secret web site on IIS 5.x using Alternative Data Streams

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Creating a secret web site on IIS 5.x using Alternative Data Streams
From: inge_eivind.henriksen@xxxxxxxxx
Date: 4 Aug 2005 16:22:42 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ **

Creating a secret web site on IIS 5.x using Alternative Data Streams 
--------------------------------------------------------------------

Using a little known feature of the Windows NT file system (NTFS) one can 
create a secret website, this website can not be detected without third party 
tools made specifically for it.

Confirmed Applications
Microsoft® Internet Information Server® V5.x and probably earlier versions. 

Confirmed Platforms
Should work with all NT based Windows as long as the fil system is NTFS and not 
FAT. Does not work on Vista Beta 1 with IIS 6.

Technical Description
A NTFS file can contain a number of alternative data streams that bypasses the 
regular directory listing, the data in the alternative data does not even count 
when the number of free bytes left on the disk is calculated.

Proof of Concept
Start a console on the NT system in question and change directory to the web 
root(usually c:\inetpub\wwwroot\)
In the example we will use the help.gif file that is already in the directory, 
you can use any file though.  Type "dir" and take notice of the number of free 
bytes left on the disk
Type "echo This is a hidden data stream > help.gif:hidden" , we have now 
created a hidden data stream called "hidden", the name of the stream can be 
anything if you just avoid some special characters
Type "dir" againm notice that even though we added data to the file in an 
alternative data stream the free bytes left on the disk is left unchanged
Open you web browser and type in" http://localhost/help.gif " and you should 
see the little icon just as it was before we added the alternative data stream
Now, type in " http://localhost/help.gif:hidden " and you will see the data in 
the alternative data stream "hidden", eg the text "This is a hidden data 
stream". In the example I have used text as data, but one could easily use 
binary data too.
If you want to read alternative data streams from the console, in our example 
you would use "more < help.gif:hidden"

If the Virtual Folder in question allows for execution, then we can also hide a 
executable file in help.gif and remotely execute it later:

Type "type c:\WINDOWS\NOTEPAD.EXE > help.gif:notepad.exe"
Open a web browser from a remote computer type in " 
http://myremoteserver/help.gif:notepad.exe " , the browser hangs as the 
executable does not end
Go back to your web server and open task manager and select to see process from 
all users on the process tab, you will se a prosess called 
"help.gif:notepad.exe" running. In this manner one could hide a trojan or 
backdoor inside any file as long as it resides in a Virtual Folder that allows 
for execution.


Links
http://lists.gpick.com/pages/NTFS_Alternate_Data_Streams.htm

Follow-Ups:
- RE: Creating a secret web site on IIS 5.x using Alternative Data Streams
  - From: James C Slora Jr

Prev by Date: [USN-162-1] ekg and Gadu library vulnerabilities
Next by Date: Re: Scanning Software Bugs
Previous by thread: [USN-162-1] ekg and Gadu library vulnerabilities
Next by thread: RE: Creating a secret web site on IIS 5.x using Alternative Data Streams
Index(es):
- Date
- Thread