# Alternate Data Stream

## Alternate Data Stream

**The NTFS file system includes support for alternate data streams.** This is not a well known feature and was included, primarily, to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this **default data stream** is called `:$DATA`.

Windows Explorer doesn't provide a way of seing what alternate data streams are in a file (or a way to remove them without deleting the file) but they can be created and accessed easily. Because they are difficult to find they are often used by hackers to hide files on machines that they’ve compromised (perhaps files for a rootkit). Executables in alternate data streams can be executed from the command line but they will not show up in Windows Explorer (or the Console). Reference Example 1 for information on creating and accessing alternate data streams.

Since the `:$DATA` alternate stream exists for every file it can be an alternate way to access any file. Reference Example 2 for information on accessing the `:$DATA` alternate data stream in a text file. Any application that creates files or looks at or depends on the end of the file name (or the extension) should be aware of the possibility of these alternate data streams. If unsanitized user input is used to create or reference a file name an attacker could use the `:$DATA` stream to change the behavior of the software. A well-known vulnerability of this nature existed in older versions of IIS. When IIS saw a request for a file with an ASP extension it sent the ASP file to the application associated with the extension. This application would run the server-side code in the ASP file and generate the HTML response for the request. Due to a flaw in the extension parsing of these versions of IIS, `filename.asp::$DATA` did not match the extension and since there was no application registered for the `asp::$DATA` extension, the asp source code was returned to the attacker.

## Examples

### Example 1 - Creating Alternate Data Streams <a href="#example-1---creating-alternate-data-streams" id="example-1---creating-alternate-data-streams"></a>

* `C:\> type C:\windows\system32\notepad.exe > c:\windows\system32\calc.exe:notepad.exe`
* `C:\> start c:\windows\system32\calc.exe:notepad.exe`

### Example 2 - Accessing the `:$DATA` Alternate Data Stream <a href="#example-2---accessing-the-data-alternate-data-stream" id="example-2---accessing-the-data-alternate-data-stream"></a>

* `test.txt` and `test.txt::$DATA` point to the same file:

![st.txt and test.txt::$DATA](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWVjG_njKgBtvmnKaJh%2Fuploads%2FsqBVLNPNADID1xlRsHNM%2Fimage.png?alt=media\&token=e33639f5-a8d1-4071-a353-d3b09d65fcf6)

### Example 3 - Exploiting the ASP Alternate Data Stream Show Code Vulnerability <a href="#example-3---exploiting-the-asp-alternate-data-stream-show-code-vulnerability" id="example-3---exploiting-the-asp-alternate-data-stream-show-code-vulnerability"></a>

Normal access:

* `http://www.alternate-data-streams.com/default.asp`

Show code bypass accessing the `:$DATA` alternate data stream:

* `http://www.alternate-data-streams.com/default.asp::$DATA`

In the vulnerable versions, IIS parsed the extension of this file as `asp::$DATA`, not ASP. As such the application associated with the ASP extension was not invoked and the ASP source code was viewable by the attacker.