As far as I understand it, reparse points can be added to any file (not talking about symbolic links, but adding them to the ADS of existing files)
Wouldn’t it then be possible to create an image.jpg that has a reparse point to cmd.exe? Or am I mistaken in what reparse points are?
Am I mistaken in what reparse points are?
OK, let's start with an overview of reparse points. When an application opens an NTFS stream that contains a reparse point, the filesystem filter driver associated with the reparse point tag interprets the reparse point data and provides the content for the application to read. For example, if the reparse point is a symlink, the reparse point data contains the path to the target file, and the filesystem filter driver will read the content from the target file and provide it to the application. The application doesn't need to understand about symlinks or how to process them; that's all handled by the file system. (This is perhaps the most important difference between symlinks and shortcuts.)
Note that a file being a reparse point typically does not change the way the application interprets the data that it is provided. If test.jpg is a symbolic link to cmd.exe, and you take a photo viewer and open test.jpg, it will just read the contents of cmd.exe and try to interpret them as a jpg; this is no different to what would happen if you just made a copy of cmd.exe and renamed it to test.jpg. (An application can also write to a reparse point, and again this is handled by the associated filesystem filter driver.)
Putting the reparse point in an alternative data stream doesn't really change anything. Typically an application like a photo viewer would ignore the alternative data stream entirely.
I understand that, but what happens if you create a reparse point with the tag of a Symlink, then add it to a jpg file and point it to cmd.exe? Wouldnt windows treat the jpg file as a symlink then and instead of opening the jpg, open cmd.exe?
If you forget about using an alternate data stream and just create a test.jpg that is a shortcut to cmd.exe, then yes. This is because Windows Explorer breaks the rules: it explicitly checks to see if a file is a symlink, and if it is, it treats it as if it were a shortcut. You can do this experiment yourself; open an elevated cmd.exe window and type
cd \
mklink test.jpg c:\windows\system32\cmd.exe
start .
This will open an Explorer window at the root of C drive that will show you the test file; if you double-click it, a command window will open.
Is this a serious security vulnerability? Probably not; the attacker would still have to place the file (more difficult for a reparse point than an ordinary file, since it can't just be downloaded) and convince the victim to open it, and Explorer shows the file with a shortcut icon and a file type of .symlink. On the whole I don't think this is any more dangerous than conventional shortcut technology, or just giving the victim an executable with a custom icon to make it look like a harmless file.
So far as I am aware, Explorer only treats symlinks and junction points in this way. For any other type of reparse point Explorer would use the name of the file to determine how to behave, so if the file is called test.jpg then double-clicking it would just open a photo viewer.
I'm not sure how to test the scenario where a symlink is added to an existing file as an alternative data stream. My best guess is that Explorer would ignore the alternative data stream; so again, double-clicking the file would do nothing but open the photo viewer.
Am I mistaken in what reparse points are?
Reparse points can only be used by applications. The data contained in a reparse point requires an application to interpret the data and process the file. In the process of creating the reparse point, a reparse tag must also be defined, which identifies the data it is storing.
A file or directory can contain a reparse point, which is a collection of user-defined data. The format of this data is understood by the application which stores the data, and a file system filter, which you install to interpret the data and process the file.
Would it then be possible to create an image.jpg that has a reparse point to cmd.exe?
The reparse point wouldn't be accessed by just any old Photo application. I also seriously doubt, if Windows would even let you set a reparse point, due to the size of an executable.
As far as I understand it, reparse points can be added to any file (not talking about symbolic links, but adding them to the ADS of existing files)
You should be talking about them, since reparse points are used, to create NTFS symbolic links in the first place. They are also used to create mounted directories.
reparse points are used to implement NTFS file system links, they are also used to implement, mounted folders
