Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: BugTraq: EFS Win 2000 flaw
From: Rickard Berglind <Rickard.Berglind () EIKNES SE>
Date: Thu, 25 Jan 2001 16:20:47 +0100

Thor () HammerofGod Com wrote:

Recommended EFS procedures call for the encryption of a direcory, not
file-by-file as the procedure indicated by Berglind suggests.
If you copy an unencrypted file and paste it into an encrypted directory,
the file and the temporary file are both encrypted.


This is in a way true, but unfortunaly not the solution to this
problem.
Many people have suggested that encrypting the folder would solve
the issue, but let us look at some short scenarios.

You have an encrypted folder and you copy a file from somewhere
on your partitions to this folder. Result: no efs0.tmp will be
created and left behind, which might look good.
The reason for this is the efs0.tmp is only a backup file, which
makes the file recoverable if the power should go during encryption,
and is used as the "original" when the encrypted version of the
file is created.
When you copy a file there obviously exists a "original" file
and no efs0.tmp is needed. The problem is when you later deletes
the first file - it will very much exist on the surface of the
disk - readable for anyone with a disk editor.
Result: plain text version remains on disk.

If you move a file to the encrypted folder from the same
partition there is only one file and no original which could
be used as backup file. In this case a efs0.tmp will be created
and left on disk.
Result: plain text version remains on disk.

If you move a file to the encrypted folder from a different
partition no efs0.tmp will be created. The reason for this
is that a move operation between partitions is really a copy
and later a delete of the first file. In this case a original
exist and no efs0.tmp will be created. But the file on the
first partition will be deleted as always - i.e. not removed
from the sectors.
Result: plain text version remains on disk.


The only way to not leave any plain text behind you is to
create an encrypted folder and create every file there -
from the very beginning.
This might be fine, but it also gives the following: any
file which have been located on your hard disk before you
start using EFS could never be safe even after encryption.



regards,
Rickard Berglind


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]