[plug] [OT] Security problems with NTFS
Chris Caston
caston at arach.net.au
Thu Oct 23 19:43:14 WST 2003
I saw a mate of mine playing around with this "feature" several months
ago. It's interesting but I couldn't for the life of me think of a
practical application. Perhaps it could use it to hide executable code
on a compromised system but you would still need some level of access to
execute it again.
Or possibly someone could write a virus that hide most of itself in an
alternative data stream. That one is probably more likely.
regards,
Chris Caston
On Thu, 2003-10-23 at 19:26, Stephen Boak wrote:
> This may be old hat to those of you who follow security closely, but
> it came as a suprise to me so I will pass it on. Even if it does not
> affect you personally, I expect some of you manage corporate users
> with NTFS filesystems who like their security to actualy work :)
>
> http://www.seifried.org/security/advisories/kssa-003.html
>
> <quote>
>
> In the NTFS file system a facility exists to bind additional data to
> a file or directory, called an alternate data stream [url1][url2].
> These alternate data streams cannot be be removed, unless the parent
> file or directory is destroyed. Unfortunately most file wiping
> utilities only deal with the primary data stream and do not wipe the
> alternate data streams, thus leaving data intact.
>
> </quote>
>
> I know this is OT on this list, but they do mention using Linux to
> search the affected drive to demonstrate the problem :)
>
> Steve
>
>
> _______________________________________________
> plug mailing list
> plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
>
_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
More information about the plug
mailing list