[18720] in bugtraq
Re: BugTraq: EFS Win 2000 flaw
daemon@ATHENA.MIT.EDU (Alexander Ivanchev)
Mon Jan 22 17:50:03 2001
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_0003_01C08286.381F2E50"
Message-ID: <HMECJFFOAFOAGOPBEHPPIEBJCBAA.ai@bulinfo.net>
Date: Sat, 20 Jan 2001 02:11:02 +0100
Reply-To: Alexander Ivanchev <ai@BULINFO.NET>
From: Alexander Ivanchev <ai@BULINFO.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <sa683354.024@eiknes.se>
This is a multi-part message in MIME format.
------=_NextPart_000_0003_01C08286.381F2E50
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hello.
Correct me if I'm wrong, but the use of programs that utilize direct disk
access (such as DiskProbe) is restricted to the Local Administrator
account (as per
http://www.microsoft.com/windows2000/guide/professional/solutions/manageme
nt.asp). If an would be attacker has this kind of access, he automatically
has the sufficient power (due to the existence of the recovery agent
certificate, unless the computer is part of a domain (but that's another
story) to decrypt any locally stored file.
Nevertheless good work. This particular behavior of handling .tmp files by
the EFS code shows some poor design on Microsoft's part.
Regards,
Alexander
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
Rickard Berglind
Sent: Friday, January 19, 2001 12:30
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: BugTraq: EFS Win 2000 flaw
I have found a major problem with the encrypted filesystem
( EFS ) in Windows 2000 which shows that encrypted files
are still very available for a thief or attacker.
<snip>
------=_NextPart_000_0003_01C08286.381F2E50
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/DCCAjww
ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYD
VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw0yMDAxMDcyMzU5NTlaMF8xCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJs
aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0NH8xlbgyw0FaEGIea
BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkfeAKA2txHkSm7NsljXMXg
1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIFAAOBgQBLRGZgaGTkmBvzsHLm
lYl83XuzlcAdLtjYGdAtND3GUJoQhoyqPzuoBPw3UpXD2cnbzfKGBsSxG/CCiDBCjhdQHGR6uD6Z
SXSX/KwCQ/uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2Raa2Nrngv2U2k8LS12vc3lnWojX4
RTCCAy4wggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIy
MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv
cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ
bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFL
uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+Hthzj
zMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYw
RwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t
L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB
AgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV8Rd9Z7R/
LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBcVaNlIAD9GCDl
X4KmsaiSxVhqwY0DPOvDzQWikK5uMIIEhjCCA++gAwIBAgIQJ1Th5prcm19czvkXE+jIczANBgkq
hkiG9w0BAQQFADCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWdu
IFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEg
SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEg
Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDAeFw0wMDEyMzEw
MDAwMDBaFw0wMTAzMDEyMzU5NTlaMIIBCjEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV
BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVw
b3NpdG9yeS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNv
bmEgTm90IFZhbGlkYXRlZDEnMCUGA1UECxMeRGlnaXRhbCBJRCBDbGFzcyAxIC0gTWljcm9zb2Z0
MR4wHAYDVQQDFBVBbGV4YW5kZXIgTC4gSXZhbmNoZXYxHTAbBgkqhkiG9w0BCQEWDmFpQGJ1bGlu
Zm8ubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHEfyP6f4Jj89TLd7dvSwK/cmovl7J
bdcxJuEuNzFzi4Qah0BFCv0nZoHz/ecqMdxgkO36HRcNedk0yrqobA7C0sXoEBy4U2KZS9qnrLuD
lrEDwKhfyoSeW8Kl8TwynaR1pvysh6mKvuXucFlPS71bSH47Fp0e4AYfTbXu4lPtbQIDAQABo4IB
JjCCASIwCQYDVR0TBAIwADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBwEIMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEQYJYIZIAYb4QgEBBAQDAgeAMIGGBgpghkgB
hvhFAQYDBHgWdmQ0NjUyYmQ2M2YyMDQ3MDI5Mjk4NzYzYzlkMmYyNzUwNjljNzM1OWJlZDFiMDU5
ZGE3NWJjNGJjOTcwMTc0N2RhNWQzZjIxNDFiZWFkYjJiZDJlODkyMTRhZDZiZjFkZTExNDk5YmEy
YjM0NWY0ZjNlYTQ1MGMwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20v
Y2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQCyiqwMRB5JJy/31Z41hn7wlqubS2+8Sz3pRaJD
gXmsbAUwN+tn13X2EulUB7laF22O3a3xrnE4uZDHBszwU4uR0BNTqkajwWpEwtcF7YitMNoEd2iE
9HjwkjFulbEewjLneDls3fIzuuFmAAbrRr8G7weRSRcIUgt80OMqfLVy6TGCAzgwggM0AgEBMIHh
MIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0
d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlk
dWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAnVOHmmtybX1zO+RcT6MhzMAkG
BSsOAwIaBQCgggGsMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAx
MDEyMDAxMTA1NFowIwYJKoZIhvcNAQkEMRYEFLv2rd3Tx3ROP3t1q/0Tp/+my1+JMFgGCSqGSIb3
DQEJDzFLMEkwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMC
AgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHyBgkrBgEEAYI3EAQxgeQwgeEwgcwxFzAVBgNVBAoT
DlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQL
Ez13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxU
RChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJl
ci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCECdU4eaa3JtfXM75FxPoyHMwDQYJKoZIhvcNAQEBBQAE
gYASiqcAqGkQ8O8BI2Kkb3spdBYZ/YO4DdBDbU/5YTQLet+2vNVrxBLb18o8VV/XIbIB0w3pCDzm
G8F32j7b+RyZJKhEmCHXRSSKqdRNxsk+DVRKRgOnbwApV2G/1W5XsuHVyt4pkKHc7akXbZA3CxgO
TcURyyI+LSzvaiMkEGR5egAAAAAAAA==
------=_NextPart_000_0003_01C08286.381F2E50--
