SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   BCWipe Vendors:   Jetico
BCWipe Disk Wiping Utility Fails to Erase Alternate Data Streams from NTFS Drives
SecurityTracker Alert ID:  1003301
SecurityTracker URL:  http://securitytracker.com/id/1003301
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 21 2002
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.x, 2.x
Description:   A vulnerability was reported in Jetico's BCWipe disk wiping utility. A local user with access to an NTFS disk drive may be able to recover certain data from the drive after the drive has been wiped.

It is reported that BCWipe does not remove data from an alternate data stream attached to a file or directory.

For example, if a user enables the viewing of thumbnails of a picture via Windows Explorer, the thumbnail may not be removed when wiped.

A demonstration exploit method is described in the Source Message.

Impact:   A local user with access to the NTFS drive may be able to access information that should have been deleted by the wiping utility.
Solution:   The vendor has reportedly confirmed the flaw and planned to issue a fix in version 3, targeted for April 2002 release.

The author of the report has provided the following workarounds:

"The first workaround is to avoid using alternate data streams to store sensitive information. Unless you have explicitly created alternate data streams it is unlikely that they exist. However to check for alternate data streams several free tools exist, one of the best of which is LADS [http://www.heysoft.de/nt/ep-lads.htm] from Frank Hayne Software (heysoft.de). Simply download lads.zip and unpack it, then run it from your root drives (e.g. C:\, D:\) and it should find and report any and all alternate data streams present. Because alternate data streams cannot be deleted tools to detect them are quite effective, once found you should securely delete the files and proceed to the next workaround, wiping free space, in order to ensure the alternate data streams are deleted.

The second workaround is to immediately use the "wipe free space" feature present in most secure file deletion utilities. Since the parent file or directory that the alternate data streams were attached to have been deleted the data in the alternate data streams is now in "free space" on the harddrive, thus using "wipe free space" will overwrite it. The downside of this workaround of course is that wiping all the free space on a hard disk can take quite some time, especially on a modern disk that may have several tends of gigabytes of free space to wipe. One note on this: wiping free space may not be possible or effective on network shares using NTFS, it is recommended to encrypt truly sensitive data on NTFS network file systems.

A third workaround is to encrypt sensitive data, Windows 2000 offers encrypted file system, or you can use programs such as PGP's PGPDisk [http://www.pgp.com/products/desktop-privacy.asp] or Jetico's BestCrypt [http://www.jetico.com/index.htm#/products.htm]. It is recommended to use encrypted disk partitions rather then encrypting single files, encrypted disk partitions are much easier to work with, type in a password and you have access, when you are done you do not need to worry about encrypting the file, as the data is kept in an encrypted state on the hard drive. Additionally temporary files stored in the same directory (such as opened word files) will also be kept in an encrypted state, reducing the need for you to wipe free space."

Vendor URL:  www.bcwipe.com/bcwipe.htm (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] KSSA-003 - Multiple windows file wiping utilities do not properly wipe data with NTFS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt Seifried Security Advisory 003 (KSSA-003)
http://www.seifried.org/security/advisories/kssa-003.html,
kurt@seifried.org

Title:
Multiple windows file wiping utilities do not properly wipe data with NTFS
file systems.

Issue date:
Jan 21, 2002

Who should read this advisory:
Anyone using file wiping utilities such as PGP Wipe (from NAI), BCWipe
(from
Jetico) or East-Tec Eraser (from East-Tec) on a Windows system with an NTFS
file system, such as Windows NT, Windows 2000 or Windows XP especially with
features such as thumbnail pictures in explorer. This advisory affects
virtually every Windows file wiping utility, none of the tested programs
were found to be problem free.

Author and contact info:
This advisory is copyright 2002, Kurt Seifried, kurt@seifried.org,
http://www.seifried.org/

Overview:
In the NTFS file system a facility exists to bind additional data to a file
or directory, called an alternate data stream [url1][url2]. These alternate
data streams cannot be be removed, unless the parent file or directory is
destroyed. Unfortunately most file wiping utilities only deal with the
primary data stream and do not wipe the alternate data streams, thus
leaving
data intact.

Affected software:
It is important to note that every single software package tested failed to
erase single or multiple data streams (Eraser 5.3 erased multiple data
streams in, however missed alternate data streams when only one was present
in a file). Based on this I find it unlikely that any other secure deletion
programs implement alternate data stream wiping properly, all secure
deletion programs for Windows should be treated as suspect until proven
innocent. If you are using secure deletion software please check
immediately
for files with alternate data streams, and after deleting them you are
strongly advised to wipe all free space.

BCWipe version 1.x and 2.x from Jetico - Confirmed in testing and from
vendor. http://www.bcwipe.com/
Eraser 5.3 - Confirmed in testing and from vendor.
http://www.tolvanen.com/eraser/
SecureClean v3 build-2.0 - Confirmed in testing and from vendor.
http://www.accessdata.com/main_deleted_data.htm
East-Tec Eraser 2000 - Confirmed in testing.
http://www.east-tec.com/eraser/index.htm
PGP 6.x freeware and commercial, 7.x, freeware and commercial - Confirmed
in
testing. http://www.pgp.com/, http://www.pgpi.org/
Numerous other packages are suspected to be vulnerable, it is strongly
advised to use the workarounds listed below.

Impact:
If data is stored in an alternate data stream attached to a file (such as
the thumbnail of an image) or directory when this file or directory is
wiped
the information contained within the alternate data stream will be left
intact on the harddrive. No warning is given to the user at all by Windows
or the wiping programs. For example if you use windows file explorer (the
default file browser in Windows) and have thumbnails of pictures enabled
(the default setting) then the thumbnail of the thumbnail image, once
created (i.e. once the directory is viewed in Explorer) will not be deleted
until you delete the file and wipe all free space. Alternate data streams
also provide an ideal location to keep attack tools, snippets of virus code
and so forth for attackers and viruses, in fact some virus scanners do not
scan alternate data streams unless specifically configured to do so (often
labeled as "scan all files" or similar).

The good news is that floppy disks and most other removable media are not
formatted as NTFS, thus it is unlikely that copied files will contain the
alternate data streams. As well no all compression programs, such as WinZip
copy the alternate data streams, while others such as WinRAR do copy the
alternate data streams. While it is unlikely that files with alternate data
streams will have made it to other systems with their alternate data
streams
intact it is possible, and any systems that have had sensitive data copied
or moved to them should immediately have their free space wiped in order to
ensure alternate data streams containing sensitive information are still
present.

Details:
Create a file with an alternate data stream:

echo "this is a text file" > C:\file.txt
echo "this is the alternate data stream lkajhkl2" >
C:\file.txt:alternate-data-stream

If you use forensics software to examine the harddrive you will find the
string of text "this is the alternate data stream lkajhkl2" present on the
drive.
Now using the file wiper of your choice (BCWipe, etc.) choose the file
C:\file.txt and wipe it. Use any many passes as you want.
Now examine the drive for the string "this is the alternate data stream
lkajhkl2". You should be able to find it. To do this using Linux simply
create an image file of the drive and examine it using grep or strings:

dd if=/dev/hdb1 of=windows-disk.img
grep "this is the alternate data stream lkajhkl2" windows-disk.img
or
strings windows-disk.img > windows-disk.strings
grep "this is the alternate data stream lkajhkl2" windows-disk.strings

As you will quickly discover the data is easily found.

Alternate data streams are only available on NTFS file systems, making home
users with older systems (Windows95, Windows98, WindowsME) immune to this
problem, but newer systems based on WindowsXP are capable of using NTFS,
thus potentially exposing customers to risk. NTFS is also available on most
corporate systems such as WindowsNT, Windows2000 and WindowsXP.
Another "feature" of alternate data streams is that they cannot be deleted.
If you have an alternate data stream attached to a file you cannot delete
it, you can write other data to the stream, however you cannot reliably
delete it. To overwrite an alternate data stream simply place more data
into
it, for example:

echo "this will overwrite existing data in the stream" >
C:\file.txt:alternate-data-stream
or
type notepad.exe > C:\file.txt:alternate-data-stream ***

Solutions and workarounds:
Several workarounds exist, and several vendors are in the process of
updating software so as to fix the problem.

The first workaround is to avoid using alternate data streams to store
sensitive information. Unless you have explicitly created alternate data
streams it is unlikely that they exist. However to check for alternate data
streams several free tools exist, one of the best of which is LADS [url3]
from Frank Hayne Software (heysoft.de). Simply download lads.zip and unpack
it, then run it from your root drives (e.g. C:\, D:\) and it should find
and
report any and all alternate data streams present. Because alternate data
streams cannot be deleted tools to detect them are quite effective, once
found you should securely delete the files and proceed to the next
workaround, wiping free space, in order to ensure the alternate data
streams
are deleted.

The second workaround is to immediately use the "wipe free space" feature
present in most secure file deletion utilities. Since the parent file or
directory that the alternate data streams were attached to have been
deleted
the data in the alternate data streams is now in "free space" on the
harddrive, thus using "wipe free space" will overwrite it. The downside of
this workaround of course is that wiping all the free space on a hard disk
can take quite some time, especially on a modern disk that may have several
tends of gigabytes of free space to wipe. One note on this: wiping free
space may not be possible or effective on network shares using NTFS, it is
recommended to encrypt truly sensitive data on NTFS network file systems.

A third workaround is to encrypt sensitive data, Windows 2000 offers
encrypted file system, or you can use programs such as PGP's PGPDisk [url4]
or Jetico's BestCrypt [url5]. It is recommended to use encrypted disk
partitions rather then encrypting single files, encrypted disk partitions
are much easier to work with, type in a password and you have access, when
you are done you do not need to worry about encrypting the file, as the
data
is kept in an encrypted state on the hard drive. Additionally temporary
files stored in the same directory (such as opened word files) will also be
kept in an encrypted state, reducing the need for you to wipe free space.

Several vendors have announced new versions in light of this, see below for
more information:

BCWipe 1.x and 2.x
"We confirm importance of the problem of wiping alternate data stream in
files, created on NTFS disks. We would thank Mr. Seifried for writing us
about the problem and are going to solve it in the next version 3 of
BCWipe,
which is planned to be released at April, 2002."

SecureClean
"We will be covering all those issues in the next release. We plan to be
shipping the product in February. The new release will be posted at
www.accessdata.com. The current SecureClean does not handle alternate data
streams or the thumbnails. That is coming in February."

East-Tec Eraser 2000
"EAST Technologies has acknowledged the possible problem concerning the
wiping of the alternate data streams that may appear on NTFS disk drives
and
it will analyze this problem in the security product that it develops and
the way this may compromise the user's personal security and privacy. EAST
Technologies will also inform all its users and customers and in case it
would be necessary, it will develop a fix."


Additional information:
Check your anti-virus software, several packages do not scan alternate data
streams by default, it is recommended you enable scanning of all files and
confirm by placing the eicar.com [url6] in an alternate data stream of a
file and scanning to test. Backup programs should also be checked, attach
an
alternate data stream to a file, delete and then restore it, check for the
alternate data stream. You can remove an alternate data stream either by
copying the parent file onto non NTFS media or backing it up with a program
that does not save the alternate data stream, or by using the "rm" utility
present in MKS Software's "MKS Toolkit 8.0". An op-ed piece on this problem
will be appearing at SearchSecurity [url7] later this week.

References:
[url1]
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechn
ol/winxppro/reskit/prkc_fil_xurt.asp - Multiple data streams
[url2] http://support.microsoft.com/default.aspx?scid=kb;EN-US;q286797 -
Windows File Protection and Alternative Data Streams (Q286797)
[url3] http://www.heysoft.de/nt/ep-lads.htm - List alternate data streams.
[url4] http://www.pgp.com/products/desktop-privacy.asp - PGP's Desktop
privacy (includes encrypted drive software PGPDisk)
[url5] http://www.jetico.com/index.htm#/products.htm - Jetico's BestCrypt
[url6] http://www.eicar.org/anti_virus_test_file.htm - Eicar.com test file
(for testing anti virus software).
[url7] http://searchsecurity.com/ - Op-Ed piece on this to appear later
this
week.

Other acknowledgements / thanks / greetings / information:
dd, grep and strings
CanSecWest - http://www.cansecwest.com/ - See you there

URL for advisory, signature and keys:
http://www.seifried.org/security/advisories/kssa-003.html
http://www.seifried.org/security/advisories/kssa-003.html.asc
http://www.seifried.org/security/keys/

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

mQGiBDsNcxcRBAD987JAFctBIHhuUNm5tqQgYi/CsFsx1afNI6QyHhbqPxJMF2Vs
D5dymEKSNd8QSAP4GNTk9MwswwxXHuXIYJolp+U2HhD/UhQsp37WiEODMB+NX8Xc
Xe5+BOUEUxaGo/du64tawslmiNw2KJDonKWaUSQBtp5ek1eQ0plTQbJ1DQCg//m4
wrYgtDl4iWdMk/76C4zbc/MD/ibshluW0pnWSDUxf00LrbMd3xAfQDPd9ACruY7z
pXdbdSJctpGMgzjbC0B97uqJINmB2Uu9h62bK+eKb+eIlM+zJEth0r6PCrhr+Kj4
EpQWiiujVU8ijNbHVM9SqT2vcS9i2o2ZCjrf2bQDdI7jt1c88+DdaCvRW79BiN4P
GsyCBADy8uewbArfRQl/erB6XeyVz2KDRvi5mNzM0xEWTtNkEV43pyHxXNtLzuD8
91GCHxsSL9f5JWEpcyiIiUhXNFdM3nZiGE/6/xfnKflDT7bsOdKXHXCvW1yN9aDx
QoRhJhlc3mnZMyLx/xz4M6wXVj8ddOBtwgBmlFtdZjyiDHwNJLQpS3VydCBNLiBT
ZWlmcmllZCAgPHNlaWZyaWVkQHNlaWZyaWVkLm9yZz6JAFQEEBECABQFAjsNcxcF
CRAw7AAECwMCAQIZAQAKCRCtYwtOrVbldApoAJ9ZRUlW8cycj3/XlTVtQNx405GZ
QgCg5zt7jGJ3v7FQguJgQloBGY1MACiJAEYEEBECAAYFAjsNcz8ACgkQ+7U3Ee+D
x4wO6gCgnbSwZFOOiTPoYjLxu446qfvzAAoAni6CROE7jtzqZMdHJbEqDFXcreEn
iQEcBBABAQAGBQI7DXNLAAoJECnUkEFIZQ2xALsH/13KyASmkFvyYCsj4hzD+UOV
DMZ/3Vi8/dXqL2NpSdGbvaASNVRyGG4huJBBSh9ccjXo11IbAfOvICfjbUQmIb3w
O/5mRQCiFIsakuPZWKhne5I9yVjL3ob78c4i2EvqSJ6VPFuqIrEdVCeMNU8DvjDw
k8FkjF5osPoKdk2CndEnrLOXMz04Qyv6DB4O1qcmhEyVc842dqPd/eOnNGUA7qN7
axp4AiZRNRyf4/XbRt+KQzS0tItQy9LcNfQiIr2B0nYo4t+edyQbQSPBiuESYTzm
TZhz0J3zxl4Tkea1GlTBxuJ6ulOFofZtDyAWABncZ9oEWgPADl15a+SCUNGvct+J
AEYEEBECAAYFAjsNdHYACgkQUWd9bj7NcwaN6QCeIYLdy4G3XlFebtHiXSHc/K1/
Iw4AoNrGLQWSHat8rs74/uE8ojtzh79htCFLdXJ0IFNlaWZyaWVkIDxrdXJ0QHNl
aWZyaWVkLm9yZz6JAEYEEBECAAYFAjuUYccACgkQrWMLTq1W5XRAugCfQyMVlXPs
D7lYKvhYg08mv6U7AZcAn0feW5KeOLrmSCWKaHlNUsVHX3opuQINBDsNcxgQCAD2
Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33
TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBh
znzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmsz
bDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1
Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9
iUsiGSa6q6Jew1XpMgs7AAICCAD1mLQv5THh1JfuQEN26KbdRXWtw5tJ2LiXri17
G1BGS4pz7CVgNIhmKxhm9xvTD7Yb0xI2RoA5yre04xG77OQ47k0IjawSHdfr+PBZ
8C7O03QS17vKHthrpKayKENOUqWKOK3jGd2fx50EgKMnt5o+n1szEuhwvmxh1lOp
iV4l4EMc2QykM1W/weTgCmTvBVABfgm0OQoNswdkrKPyyY16Li2IBI9ebqo6Vnz8
NWiZ2Hzta0cKvuGak/mmNkLsZFXQ3oH/J6ubRb9LskqJ4o7SwUaCAHR1sjlq5LS/
JNVjwkG18Q+Jrr4X6NncRK1eCuHm8yD5dbvHPZi0VnltXHwsiQBMBBgRAgAMBQI7
DXMYBQkQMOwAAAoJEK1jC06tVuV0vHwAmwTOfoVT5RJqaluoEvXy7qpRjmzUAKCw
4DM73//OxJSRLTwVO5IVtq/WIQ==
=azr0
- -----END PGP PUBLIC KEY BLOCK-----

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only
if, the bulletin is not edited or changed in any way, is attributed to Kurt
Seifried kurt@seifried.org, and provided such reproduction and/or
distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Kurt Seifried
kurt@seifried.org is not liable for any misuse of this information by any
third party.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPEuH161jC06tVuV0EQJdaACg3i2aFcK4Rt6E9Ou9NNlt0sHJmxsAoM6b
n4zlM+40Y8Em5NTqwQ+7r+yn
=aYjp
-----END PGP SIGNATURE-----




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC