Full Disclosure mailing list archives

Re: Windows covert channel

From: Karl DeBisschop <kdebisschop () alert infoplease com>
Date: Sun, 19 Oct 2003 22:23:37 -0400

On Sun, 2003-10-19 at 19:04, James Kelly wrote:

I seem to remember in the dim reaches of my memory a covert channel in 
the Windows file system where you could paste one file at the end of 
another without it being detectible when you edited the orginal file.


can someone aim me at the right "buzz phrase" that describes this so I 
can Google it further?


Many people have mentioned data streams. But since you said 'end of
file' I wonder if you are referring to the DOS idea that ^Z is an end of
file marker, and many apps won't look beyond it.

For instance, given a file like:

====start====
1
2
3
4
5

6
7
8
9
====end====

the command 'type test.txt' provides:

====start====
1
2
3
4
5
====end====

If that is indeed what you are thinking of, it only applies to text
files, not to binary files.

-- 
Karl DeBisschop <kdebisschop () alert infoplease com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Windows covert channel James Kelly (Oct 19)
- Re: Windows covert channel 8tImER (Oct 19)
  - Re: Windows covert channel jazper (Oct 19)
  - Re: Windows covert channel Jeremiah Cornelius (Oct 19)
- Re: Windows covert channel jazper (Oct 19)
  - RE: [inbox] Re: Windows covert channel Curt Purdy (Oct 20)
- RE: Windows covert channel Joe (Oct 19)
- Re: Windows covert channel madsaxon (Oct 19)
- RE: Windows covert channel Bojan Zdrnja (Oct 19)
- Re: Windows covert channel KF (Oct 19)
- Re: Windows covert channel Karl DeBisschop (Oct 19)
  - Re: Windows covert channel Kain (Oct 19)
- <Possible follow-ups>
- Windows covert channel Wally Eaton (Oct 21)
  - Re: Windows covert channel Rainer Gerhards (Oct 21)