Michael Schramm posted about another way to do image filter bypassing using alternate file streams on NTFS file systems. Pretty cool stuff (thinking outside the box of what a file really means on different systems). Here’s his English translation:
It’s all about the alternate file streams (ads) in NTFS file system (itís a “feature”), you probably have heard of them. With ads, it’s possible to insert additional data streams to a file beside of its basic contents. For example you could insert ads.txt into the file foobar.txt with “type ads.txt>foobar.txt:somedescriptor”. A User won’t recognize that there is additional data in this file (even if the ads contains several gigabytes), the file foobar.txt will still appear with its original size and contents in file system. But anyway, this is not really essential for understanding what I’ve found out, I think you can inform yourself about ads if you want.
Every file in a NTFS-Volume has at least one data stream, this is the stream named “:$DATA” containing the contents of the file itself. For example if you want to create a file “foo.txt” you could do so with “echo something>C:\foo.txt”. Okay, this isn’t really something new so far, but let’s give a try with “echo something>C:\foo.txt::$DATA”. This will take the same effect as the command before: A file “foo.txt” will be created at C:\ containing the string “something”.
We now know that it’s possible to create “.txt”-files on the file system without really using the file extension “.txt”. Most web apps are validating uploaded files by their file extension because almost everything else is fakeable.
Due to the fact that programming languages/scripting languages are simply calling the api’s of the underlaying os, I thought it should be possible to pass a file with “::$DATA” attached to its name to a php upload-script (php is for example, could be also asp or something). I checked this out with the “filemanager” in the current release of fck-editor (gna, I’ve tried to exploit it damn often in the past - without success).
Fck-editor has a configfile containing a blacklist with denied file extensions, of course there’s “.php” included. And in fact, I was able to bypass this check of denied file extensions! I passed filename “foobar.php::$DATA” and it was saved as “foobar.php” without having problems!
This is only an example, but it should be possible to get this working in many other web apps too. As I mentioned, it only works on webservers running under windows (yes, not only IIS - Apache too!). The need of NTFS should not really be a problem, because almost _all_ Servers running Windows are using NTFS.
I’d love to hear any anecdotes where this actually works. I’m curious if anyone else can replicate this sort of thing. Pretty slick, and similar in some ways to injecting null bytes to bypass exact string match. Nice work, Michael!