Home page logo

bugtraq logo Bugtraq mailing list archives

EFS Flaw - Tidbit
From: Attonbitus Deus <Thor () HAMMEROFGOD COM>
Date: Tue, 30 Jan 2001 08:07:45 -0800

After vehemently defending the procedures outlined in the many articles,
KB's, and publications from MS regarding the best practices of EFS use, I
have come across some new information (to me, anyway) which mandates that I
consume a morsel of crow.

After continuing to experiment with different procedures, I found that the
EFS0.TMP file is NOT created in the path set in your TEMP/TMP environment
variable, but rather in the source drive of the newly encrypted file.
AFAIAC, this changes things a bit.  So, even if you did follow the procs to
the letter and encrypt your Temp dir so that all newly created temp files
were also encrypted, you would still leave this guy in plain text by
default.  Granted, they always say to create new files in encrypted dirs,
but given this caveat, I have to agree that the issue carries more weight
than I originally maintained.  Since they don't follow the TMP environmental
variable, the temp file should indeed be wiped, or it should not allow you
to encrypt individual files in the first place.

So, though I still maintain that the exploitability of this issue is remote,
I must acquiesce to Rickard and Dan's statements as being factual.  If the
true location of the temp file was known all along, then I apologize for
dragging this thing out as I did.

Thanks to all.
Attonbitus Deus
Thor () HammerofGod Com

  By Date           By Thread  

Current thread:
  • EFS Flaw - Tidbit Attonbitus Deus (Jan 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]