Bugtraq mailing list archives

Re: BugTraq: EFS Win 2000 flaw

From: Rickard Berglind <Rickard.Berglind () EIKNES SE>
Date: Thu, 25 Jan 2001 16:20:47 +0100

Thor () HammerofGod Com wrote:

Recommended EFS procedures call for the encryption of a direcory, not
file-by-file as the procedure indicated by Berglind suggests.
If you copy an unencrypted file and paste it into an encrypted directory,
the file and the temporary file are both encrypted.



This is in a way true, but unfortunaly not the solution to this
problem.
Many people have suggested that encrypting the folder would solve
the issue, but let us look at some short scenarios.

You have an encrypted folder and you copy a file from somewhere
on your partitions to this folder. Result: no efs0.tmp will be
created and left behind, which might look good.
The reason for this is the efs0.tmp is only a backup file, which
makes the file recoverable if the power should go during encryption,
and is used as the "original" when the encrypted version of the
file is created.
When you copy a file there obviously exists a "original" file
and no efs0.tmp is needed. The problem is when you later deletes
the first file - it will very much exist on the surface of the
disk - readable for anyone with a disk editor.
Result: plain text version remains on disk.

If you move a file to the encrypted folder from the same
partition there is only one file and no original which could
be used as backup file. In this case a efs0.tmp will be created
and left on disk.
Result: plain text version remains on disk.

If you move a file to the encrypted folder from a different
partition no efs0.tmp will be created. The reason for this
is that a move operation between partitions is really a copy
and later a delete of the first file. In this case a original
exist and no efs0.tmp will be created. But the file on the
first partition will be deleted as always - i.e. not removed
from the sectors.
Result: plain text version remains on disk.


The only way to not leave any plain text behind you is to
create an encrypted folder and create every file there -
from the very beginning.
This might be fine, but it also gives the following: any
file which have been located on your hard disk before you
start using EFS could never be safe even after encryption.



regards,
Rickard Berglind

Current thread:

Re: BugTraq: EFS Win 2000 flaw, (continued)
- - - Re: BugTraq: EFS Win 2000 flaw Kirk Corey (Jan 25)
    - Re: BugTraq: EFS Win 2000 flaw Attonbitus Deus (Jan 25)
- Re: BugTraq: EFS Win 2000 flaw Bryce Walter (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Russ (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Fulmer, John (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Grubin, Ben (Jan 24)
- Re: BugTraq: EFS Win 2000 flaw Abe Getchell (Jan 24)
- Re: BugTraq: EFS Win 2000 flaw John Wiltshire (Jan 24)
  - Re: BugTraq: EFS Win 2000 flaw Ryan Russell (Jan 24)
- Re: BugTraq: EFS Win 2000 flaw Ben Greenbaum (Jan 24)
- Re: BugTraq: EFS Win 2000 flaw Rickard Berglind (Jan 25)
- Re: BugTraq: EFS Win 2000 flaw Rickard Berglind (Jan 25)
- Re: BugTraq: EFS Win 2000 flaw Rickard Berglind (Jan 26)