An error in Microsoft Windows NTFS driver code causes the file system to incorrectly assign disk blocks to files before they have been initialized. Following a recovery from a system shutdown, uninitialized data may be visible in files from previously allocated disk blocks.
19a6813bec80b15a790ba4bf91503c452214f0dd11e222e2104658130b26d1f5
Microsoft Windows NTFS Information Disclosure
I. Synopsis
Affected Systems:
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
Risk: Moderate
Impact: Local Information Leak
Status: Maintenance Release Planned (Uncoordinated release)
Author: Matthew Murphy (mattmurphy@kc.rr.com)
BugTraq ID: 7386
II. Product Description
"The Windows XP Professional operating system is the best choice for
businesses of all sizes. Windows XP Professional integrates the
strengths of Windows 2000 Professional, such as standards-based
security, manageability, and reliability, with the best business
features of Windows 98 and Windows Millennium Edition, such as Plug and
Play, simplified user interface, and innovative support services. This
combination creates the best desktop operating system for business.
Whether your business deploys Windows XP Professional on a single
computer or throughout a worldwide network, this new operating system
increases your computing power while lowering cost of ownership for
desktop computers."
(https://www.microsoft.com/windowsxp/pro/evaluation/features.asp)
"Windows XP Home Edition gives you the freedom to experience more than
you ever thought possible with your computer and the Internet. This is
the operating system home users have been waiting for-because it offers
serious speed and serious stability, so you can have serious fun."
(https://www.microsoft.com/windowsxp/home/evaluation/overviews/default.asp)
III. Vulnerability Description
Among the features of Windows XP is the New Technology File System, or
NTFS. NTFS is designed as a reliable file system: it offers data
encryption, access control, and is journaled to protect disk consistency
in the event of unexpected shutdowns.
However, an apparent error in the NTFS driver's code causes the file
system to incorrectly assign disk blocks to files before they have been
initialized. Following a recovery from a system shutdown, uninitialized
data may be visible in files from previously allocated disk blocks.
Previously, this error condition was believed to be related to system
shutdown timings. BugTraq ID #7386 describes one instance of this bug,
in the case of premature service shutdowns. During more recent testing
for other issues, it was uncovered that a service is NOT required to
observe the behavior identified in the previous advisory.
The incidences of private data appearing in files can be tied to
drivers, services, even typical user-mode applications. Any time the
system is shut down with a file open for writing, the behavior may
occur. There were several specific cases identified, including
power/hardware failures, kernel STOPs (blue screens), or shutdowns
initiated with the Win32 API InitiateSystemShutdown(). The common
denominator between these cases is that open file handles are not closed
before the system is shutdown.
Upon reboot, such files may contain data belonging to other users.
Among data observed in lab tests were portions of an Administrator's
purged Internet Explorer cache. In many cases, this data is readable to
users without privileges on the system (such as members of the Users or
Guests groups).
IV. Impact
Local unprivileged users may gain access to confidential information
that is stored on affected systems. This may allow access to unrelated
services such as web accounts, or further compromise of the affected
system's host network.
V. Workarounds
None known. Mission-critical systems should be protected from logins by
untrusted users, according to industry-standard best practices.
VI. Vendor Response
The Microsoft Security Response Center was notified by e-mail when this
issue was originally discovered more than two years ago. MSRC was
contacted again with updated information on the specific details of the
flaw, in an attempt to assist a lab reproduction and a possible fix.
MSRC chose to handle the incident as a "non-security issue", and
directed the Windows product team to issue a Service Pack fix.
Citing the supposed difficulty of producing the behavior documented in
this advisory, MSRC concluded that a security update to address the
issue was not "justified". Further, it was indicated to me that the
MSRC would "not be driving" the release timeline for any fix.
I usually refrain from commenting on vendors' patch policies, but the
history of such maintenance releases from Redmond paints a disturbing
picture. Most likely, we can expect Microsoft to release this as an
undocumented fix, or to delay as it did with the "Web Folder View" issue
(reported on May 18, 2002, finally fixed in Windows XP Service Pack 2).
In spite of repeated requests for a shorter, specific update timeframe
(such as a PSS hotfix), MSRC refused to issue an unscheduled update of
any kind.
Comparing Microsoft's response with the treatment of comparable,
less-severe vulnerabilities in Linux drivers for ext3, et al (which
required reading of the raw device) offers a telling indication of
Microsoft's continued lip service to maintaining the security of its
software, even after the "security overhaul" of Windows XP Service Pack 2.
VII. Contact
The author can be reached via e-mail at mattmurphy@kc.rr.com, or on AOL
Instant Messenger screen name "NetAddict4109".