Home page logo

bugtraq logo Bugtraq mailing list archives

Re: BugTraq: EFS Win 2000 flaw
From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Tue, 23 Jan 2001 20:09:31 -0500

Hi Rickard,
        This is why you should always enable file system encryption in
Windows 2000 at the folder level.  When you turn on the encryption function
on a folder (done in the same manner as a file), any new files created in
that folder are saved directly to disk as ciphertext by the EFS driver
(c:\winnt\system32\drivers\efs.sys (WFP copy kept under the
c:\winnt\system32\dllcache directory)).  No plaintext temp files will be
created.  This is covered in "Inside Windows 2000 Server" (William Boswell
under New Riders Publishing), Chapter 14, Page 950 under the heading
"Avoiding Temporary EFS Files".  BTW-Good book, highly recommended.


Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/

-----Original Message-----
From: Rickard Berglind [mailto:Rickard.Berglind () EIKNES SE]
Sent: Friday, January 19, 2001 6:30 AM
Subject: BugTraq: EFS Win 2000 flaw

I have found a major problem with the encrypted filesystem
( EFS ) in Windows 2000 which shows that encrypted files
are still very available for a thief or attacker.

The problem comes from how EFS works when the encryption
is done. When a user marks a file for encryption a
backup-file, called efs0.tmp, will be created. When
the copy is in place the orginal file will be deleted
and then recreated, now encrypted, from the efs0.tmp-
And finally, when the new encrypted file is succesfully
created, the temporary-file ( which will never be shown
in the user interface ) will be deleted as well.

So far, so good. The only file remaining is the one
which is encrypted.

But the flaw is this: the temporary-file is deleted
in the same way any other file is "deleted" - i.e.
the entry in the $mft is marked as empty and the clusters
where the file was stored will be marked in the $Bitmap
as available, but the psysical file and the information it
contains will NOT be deleted. The information in the
file which the user have encrypted will be left in the backup
file efs0.tmp in total plaintext on the surface of the disk.

When new files are added to the partition will they
gradually overwrite the secret information, but if
the encrypted file was large - the information could
be left for months.

So how can this be exploited ?  If someone steals
a laptop or have psysical access to the disk it will
be easy to use any low level disk editor to search
for the information. For example, the Microsoft
Support Tool "dskprobe.exe" works fine for locating
old efs0.tmp-files and read information, in plain-text,
that the user thought was safe.       

In my opinion there should be a function in the EFS
which physically overwrites the efs0.tmp at least once
to make it a lot harder for an attacker to gain control
over secret information.

Here is a description how to test this :

Use any version of Windows 2000.
Install the Support Tools from the Win2000 CD.

For demonstrating purposes - create a new partition with
the size of 7 MB.
Choose to format with NTFS.
Create a new small file ( easier to find ) with Notepad
and put some text in it. Save this file in the root of the
new partition.

Do not encrypt it yet.

Let us look at the file through DiskProbe before encryption-
start Diskprobe from Support Tools on the Start Menu.

A. Choose the "Drives"-menu and "Physical Drive"
   Double click on "physical drive 0" ( or other drive you are using )
   Click "Set active" and then "OK"

B. Choose "Drives" again and this time "Logical Volume"
   Double click the drive letter for your new partition
   and then "Set active" and "OK"

C. Choose the "Sectors"-menu and "Read". For starting number
   type 80 and for the number - 35 perpaps.

Maximize the window and click the arrow for "Next sector".

At sector 86 you should see the name and contents of your
file ( assuming you made a new partition )

The file is obiously in plain text and easy to read for anyone
with physical access to this disk, regardless of permissions
in the ACL, which is ignored when using this kind of utiliy.
Better encrypt this file .. !

Now close the DiskProbe utility and open Explorer and locate
your new file. Choose Properties - Advanced - Encrypted - OK.
The file is now encrypted.

Wait a few moments to be sure the new data has been written
to the disk.
Open Diskprobe again and repeat steps A, B and C.

When reaching sector 86 you should be able to see the name
of your file, but not be able to read the information - it
is now encrypted.

But.. continue to click the Next Sector-Arrow and look carefully
at the information being displayed. A few sectors away from the
orginal file there should be a file called efs0.tmp - which is
the backup file EFS creats during encryption. You should ALSO
be able to see the contents of this efs0.tmp file - which will
be the data from the file you encrypted. The problem is just that
the data is in clear and plain text.
So again - anyone with physical access to this disk can read
the data you thought was safe.

/ Rickard Berglind

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]