Security problems with downloaded .NET assemblies

Have two copies of the same file with exactly the same content on a bit-to-bit level, yet one works and the other one fails with a security error? Yeah, that could happen.

In this post, I will discuss two features of Windows that may not be familiar to you. First, files in the NTFS file system can have hidden content. Second, Windows uses exactly that feature to remember things you didn’t expect it to.

imageFirst stop: NTFS Alternate Data Streams (ADS)

While you’re used to referring to the contents of the file by their path, that’s not the whole truth. The path really refers to the default stream of the file. Additional streams can be accessed by appending a colon and a stream name: C:\foo.txt:bar.

What’s in a stream? Whatever you put there. However, that’s tricky, as most tools don’t really support alternate streams. The cmd.exe’s redirection operators do, though:

D:\temp>echo "This is hidden content" >foo.txt:bar

Now we actually do have a file, but its size is set to 0 – because dir only shows the size of the default stream.

 Directory of D:\temp

10.12.2009  19:16                 0 foo.txt

Open it in notepad, use the type command on it, whatever – it’s empty. But look at it through the redirection operator and the more command:

D:\temp>more <foo.txt:bar
  "This is hidden content"

If you really need to discover these streams, get your hands on the SysInternals streams tool, which prints out the embedded streams just nicely (and can also be used to delete them, if you want).

An ADS application: The Attachment Manager

Download a file from the Internet and ponder, how Windows can know it came from the net. Yep, you bet: Alternate Streams. Since Windows XP SP 2, files downloaded from different security zones have been flagged as such. This flag is stored in an alternate stream called Zone.Identifier.

D:\temp>streams test.exe

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

D:\temp\test.exe:
   :Zone.Identifier:$DATA       26

D:\temp>more <test.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3

The ZoneId of 3 indicates Internet zone.

imageAnd yeah, the functionality depends on the client you use. The file, as hosted in the internet, does not have an innate notion of “a zone” – it’s tagged when the file is saved after downloading.

Internet Explorer does the tagging, as does Firefox 3. Other browsers won’t, some email clients might. Therefore, you could well end up with files whose default streams are bitwise equal but which operate on different permission sets.

The most visible effect of the zone tag is the unverified publisher dialog (“The published could not be verified. Are you sure you want to run this software?”) when running an exe.

By now, you probably want to get rid of that “came from the internet” tag. There are three basic approaches to this:

  1. imageWindows even has a UI support for this. Open the properties for a file that has the zone identifier applied, and you’ll see an “Unblock”-button. Click that, and the Zone identifier is history. This, however, isn’t exactly pleasant for lots of files.
  2. Use an utility. The already mentioned streams.exe works fine, but there are specific apps like ZoneStripper too.
  3. Copy the files over to a FAT file system which doesn’t support NTFS ADS and then back again; a USB drive is usually the best option.

So what’s this got to do with .NET?

It really has nothing to do with .NET per se: the Attachment Manager is designed to protect Windows users with all types of files, not just .NET files. But there are two corollaries that do affect .NET applications in specific.

First, Visual Studio dislikes project files with partial trust. If you’ve ever received an error dialog that starts with “The project location is not fully trusted by the .NET runtime”, you’ve seen this. Unblock the solution, project and source files using any of the previous methods.

Second, Code Access Security may limit what your code can do. If you suddenly find your code unable to write into files or registry and instead get SecurityExceptions, your code might be running with more limited permissions. Note that this can also bite you indirectly: Deploy an Internet-zoned DLL into an otherwise working application, and you may encounter some truly surprising error messages.

Further reading and references

Also, thanks fly out to my colleague LenardG for debugging a related issue a few weeks ago.

December 10, 2009 · Jouni Heikniemi · 3 Comments
Tags: , ,  · Posted in: Windows IT

3 Responses

  1. Rytmis - December 10, 2009

    A curious feature of the properties dialog, from which the aforementioned full trust can be granted, is that it won't work if you move the file somewhere else first — at least it didn't on Vista SP1. I wrote about this early this year in http://blog.rytmis.net/2009/01/putty-vista-and-annoying-security.html

  2. Jouni Heikniemi - December 11, 2009

    Yeah, I've heard that one too. It doesn't happen on Windows 7 anymore, so yet another good reason for you to upgrade :-)

  3. THE MOST INSANE FREE CS:GO CHEAT (DOWNLOAD) - October 16, 2018

    Enjoyed examining this, very good stuff, thanks .

Leave a Reply