[NT] NTFS and PGP Interact to Expose EFS Encrypted Data
From: support@securiteam.comDate: 05/09/02
- Previous message: support@securiteam.com: "[NT] MSN Messenger OCX Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 9 May 2002 07:31:48 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NTFS and PGP Interact to Expose EFS Encrypted Data
------------------------------------------------------------------------
SUMMARY
One of NTFS feature of Windows 2000/XP is its support for an "encrypted"
attribute. PGP 7.0.3 Freeware, a product of Network Associates, supports
wiping files as they are deleted. If you enable file wiping and then set
the "encrypted" attribute on the folder, copies of the contents are left
un-encrypted on the file system.
DETAILS
As explorer works it is way through the file system encrypting the
contents, it first renames the source file to a name in the format of
"EFSn.TMP" where n is an increasing series of integers starting at 0. It
then encrypts the file into a target file with the same name as the
original. The permissions on the temporary file are set to a very
restrictive level; the temporary file is then deleted. However, if you
have set PGP to wipe deleted files, it appears PGP intercepts the deletion
of the file. PGP, running as the user, has insufficient privilege to
delete the file, and leaves the temporary file in place.
Anyone who recovers the hard drive can take ownership of these temporary
files and read them. In addition, in the default setting, hidden files are
not shown in explorer, so a user may not be aware that the temporary files
exist at all. Any administrator may take ownership of the temporary files
and read the data.
Reproduce:
1) Create a directory "efs-pgp-interaction-bug". Copy a text file into the
directory.
2) Right click on the PGP icon. Set the "Automatically wipe on delete"
flag. Click OK.
3) Right click on the "efs-pgp-interaction-bug" directory in explorer.
Click properties, advanced, and check the "Encrypt contents to secure
data" flag. Click OK, OK.
4) Double click on efs-pgp-interaction-bug. If you have set the "show
hidden files and folders" flag, (tools, folder options, view, show hidden
files and folders, OK) you well see the EFSn.TMP files. Attempting to open
the temporary files will result in an error (depending on application).
Vim reports "[Permission Denied]".
5) Hit the backspace key. Right click on the efs-pgp-interaction-bug
directory. Select sharing and security; select security, advanced. Check
the "replace permission entries on all child objects..." check box and
click OK. Click "Yes", "OK".
6) Re-open efs-pgp-interaction-bug and right click on the temporary file
(EFS0.TMP). Select Open With, Notepad. View your file.
Workaround:
Do not enable PGP's Wipe Deleted Files option if you are using Encrypted
NTFS.
Vendor Response:
This issue has been resolved, and a hot fix for PGP Desktop Security
v7.0.x, PGP Corporate Desktop v7.1.x and PGPfreeware v7.0.x (all for
Windows 2000) is available at
<http://www.nai.com/naicommon/download/upgrade/upgrades-patch.asp>
http://www.nai.com/naicommon/download/upgrade/upgrades-patch.asp.
Users should be aware that Win2K EFS does NOT wipe the contents of files
that are encrypted according to the steps above. The PGP Wipe Free Space
feature to ensure that the clear text has been wiped.
ADDITIONAL INFORMATION
The information has been provided by <mailto:rjones@AIRGAP.NET> Ry Jones.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] MSN Messenger OCX Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: The Vernacular of Security Narrative
... :process millions of transactions per time frame. ... then they're likely encrypting
-everything-. ... :opportunity to successfully exploit an insider's glimpse of security
is ... unless the business is very stupid, the business isn't going to rely ...
(comp.security.misc) - Re: UNTRUSTED signature in GPG
... The reason the key is marked 'untrusted' is becuase PGP doesn't know who the ...
'Fernando Shayani' and using to email people? ... >> the world's premier event for
IT and network security experts. ... This ALL INCLUSIVE curriculum utilizes lectures,
case studies and true hands-on utilization ... (Security-Basics) - Re: GPG and Signing
... most of the people I communicate with via e-mail don't use PGP ... Since various
governments stopped trying to prosecute Phil Zimmerman, ... It is not rational that they
would design a security system that they ... I just wonder how many people it takes to
do all the monitoring, ... (Debian-User) - Re: Encryption of files on USB flash drive
... >> that PGP is not useful? ... > of those vulnerabilities...
... security experts can review it. ... > order to gain some convenience...
... (sci.crypt) - Reminder notice about FreeBSD Security Advisories
... This is a reminder notice that all FreeBSD Security Advisories are ... A copy
of the public key containing more signatures may be retrieved ... The PGP signature
should be verified on all FreeBSD Security ... (FreeBSD-Security)
