[39368] in bugtraq
Microsoft Windows NTFS Information Disclosure
daemon@ATHENA.MIT.EDU (Matthew Murphy)
Thu Jun 30 15:08:52 2005
Message-ID: <42C42587.9070100@kc.rr.com>
Date: Thu, 30 Jun 2005 12:01:59 -0500
From: Matthew Murphy <mattmurphy@kc.rr.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,
vulnwatch@vulnwatch.org, news@securiteam.com
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000508030602090201030900"
This is a cryptographically signed message in MIME format.
--------------ms000508030602090201030900
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Microsoft Windows NTFS Information Disclosure
I. Synopsis
Affected Systems:
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
Risk: Moderate
Impact: Local Information Leak
Status: Maintenance Release Planned (Uncoordinated release)
Author: Matthew Murphy (mattmurphy@kc.rr.com)
BugTraq ID: 7386
II. Product Description
"The Windows XP Professional operating system is the best choice for
businesses of all sizes. Windows XP Professional integrates the
strengths of Windows 2000 Professional, such as standards-based
security, manageability, and reliability, with the best business
features of Windows 98 and Windows Millennium Edition, such as Plug and
Play, simplified user interface, and innovative support services. This
combination creates the best desktop operating system for business.
Whether your business deploys Windows XP Professional on a single
computer or throughout a worldwide network, this new operating system
increases your computing power while lowering cost of ownership for
desktop computers."
(http://www.microsoft.com/windowsxp/pro/evaluation/features.asp)
"Windows XP Home Edition gives you the freedom to experience more than
you ever thought possible with your computer and the Internet. This is
the operating system home users have been waiting for-because it offers
serious speed and serious stability, so you can have serious fun."
(http://www.microsoft.com/windowsxp/home/evaluation/overviews/default.asp)
III. Vulnerability Description
Among the features of Windows XP is the New Technology File System, or
NTFS. NTFS is designed as a reliable file system: it offers data
encryption, access control, and is journaled to protect disk consistency
in the event of unexpected shutdowns.
However, an apparent error in the NTFS driver's code causes the file
system to incorrectly assign disk blocks to files before they have been
initialized. Following a recovery from a system shutdown, uninitialized
data may be visible in files from previously allocated disk blocks.
Previously, this error condition was believed to be related to system
shutdown timings. BugTraq ID #7386 describes one instance of this bug,
in the case of premature service shutdowns. During more recent testing
for other issues, it was uncovered that a service is NOT required to
observe the behavior identified in the previous advisory.
The incidences of private data appearing in files can be tied to
drivers, services, even typical user-mode applications. Any time the
system is shut down with a file open for writing, the behavior may
occur. There were several specific cases identified, including
power/hardware failures, kernel STOPs (blue screens), or shutdowns
initiated with the Win32 API InitiateSystemShutdown(). The common
denominator between these cases is that open file handles are not closed
before the system is shutdown.
Upon reboot, such files may contain data belonging to other users.
Among data observed in lab tests were portions of an Administrator's
purged Internet Explorer cache. In many cases, this data is readable to
users without privileges on the system (such as members of the Users or
Guests groups).
IV. Impact
Local unprivileged users may gain access to confidential information
that is stored on affected systems. This may allow access to unrelated
services such as web accounts, or further compromise of the affected
system's host network.
V. Workarounds
None known. Mission-critical systems should be protected from logins by
untrusted users, according to industry-standard best practices.
VI. Vendor Response
The Microsoft Security Response Center was notified by e-mail when this
issue was originally discovered more than two years ago. MSRC was
contacted again with updated information on the specific details of the
flaw, in an attempt to assist a lab reproduction and a possible fix.
MSRC chose to handle the incident as a "non-security issue", and
directed the Windows product team to issue a Service Pack fix.
Citing the supposed difficulty of producing the behavior documented in
this advisory, MSRC concluded that a security update to address the
issue was not "justified". Further, it was indicated to me that the
MSRC would "not be driving" the release timeline for any fix.
I usually refrain from commenting on vendors' patch policies, but the
history of such maintenance releases from Redmond paints a disturbing
picture. Most likely, we can expect Microsoft to release this as an
undocumented fix, or to delay as it did with the "Web Folder View" issue
(reported on May 18, 2002, finally fixed in Windows XP Service Pack 2).
In spite of repeated requests for a shorter, specific update timeframe
(such as a PSS hotfix), MSRC refused to issue an unscheduled update of
any kind.
Comparing Microsoft's response with the treatment of comparable,
less-severe vulnerabilities in Linux drivers for ext3, et al (which
required reading of the raw device) offers a telling indication of
Microsoft's continued lip service to maintaining the security of its
software, even after the "security overhaul" of Windows XP Service Pack 2.
VII. Contact
The author can be reached via e-mail at mattmurphy@kc.rr.com, or on AOL
Instant Messenger screen name "NetAddict4109".
--------------ms000508030602090201030900
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH7TCC
AlEwggG6oAMCAQICAwy7qzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNzIyMDIwNjM1WhcNMDUwNzIyMDIwNjM1
WjBGMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSMwIQYJKoZIhvcNAQkBFhRt
YXR0bXVycGh5QGtjLnJyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAupiGWjG1
i2f5iTXU6pHEMirw6Ng11plyt41rN3Tjo8cm3U2eeiPnaYG/272N77nGHrnVyrhWXQWTIFJY
yrv52OJs2PYAZyje9Dj0+EIYjzNBx+dNfqPXP5LMYzbaDTWOVgZk+d+z+gTkwsGWeNFoPj9s
R1fcV10wNUjfsuXa1tkCAwEAAaMxMC8wHwYDVR0RBBgwFoEUbWF0dG11cnBoeUBrYy5yci5j
b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCGjybEkwcNXlT47VHA1csUihzg
XAERdcqlXZyg38nfr6LKJ3SCszgJflcG3SKUZlmjnTs3f66z6wENVWWEkmTbWcIbwJYSQxC0
LmU1NYqZkwbEi7dWA1YDhAN+icvHiffeBrFNphLzqSKpFomzyc00vtQZ6dK7rKxZuB1k7jJj
wjCCAlEwggG6oAMCAQICAwy7qzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNzIyMDIwNjM1WhcNMDUwNzIyMDIw
NjM1WjBGMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSMwIQYJKoZIhvcNAQkB
FhRtYXR0bXVycGh5QGtjLnJyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAupiG
WjG1i2f5iTXU6pHEMirw6Ng11plyt41rN3Tjo8cm3U2eeiPnaYG/272N77nGHrnVyrhWXQWT
IFJYyrv52OJs2PYAZyje9Dj0+EIYjzNBx+dNfqPXP5LMYzbaDTWOVgZk+d+z+gTkwsGWeNFo
Pj9sR1fcV10wNUjfsuXa1tkCAwEAAaMxMC8wHwYDVR0RBBgwFoEUbWF0dG11cnBoeUBrYy5y
ci5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCGjybEkwcNXlT47VHA1csU
ihzgXAERdcqlXZyg38nfr6LKJ3SCszgJflcG3SKUZlmjnTs3f66z6wENVWWEkmTbWcIbwJYS
QxC0LmU1NYqZkwbEi7dWA1YDhAN+icvHiffeBrFNphLzqSKpFomzyc00vtQZ6dK7rKxZuB1k
7jJjwjCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw
EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh
d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp
b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ
ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3
MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo
UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD
QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me
7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq
E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA
AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j
cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB
BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN
AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw
PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72
6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggK6MIICtgIBATBpMGIxCzAJBgNVBAYT
AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDLurMAkGBSsOAwIaBQCgggGn
MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MDYzMDE3MDE1
OVowIwYJKoZIhvcNAQkEMRYEFFymeL44e532lZvtPvxEYTvOXWXmMFIGCSqGSIb3DQEJDzFF
MEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAjBgNV
BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMu6swegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDLurMA0GCSqGSIb3
DQEBAQUABIGAiM06xhgsTQxvFRuzqJVKvf0NJqtm1WveRzOoq8ySIsqDCJV/B+xNRpzcdXBl
Fi6qG75pAcDfaLilq1lCoUm8qsJ73SreOnAmCOL9dSk3bGi55RoQUBbBeD8O/2A0PuYIgY5q
EWxCDGdTx8xN09TNnrbksqVT5pxi0yGjxGEbjoYAAAAAAAA=
--------------ms000508030602090201030900--
