lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <555A3F03.5000702@korelogic.com>
Date: Mon, 18 May 2015 14:35:31 -0500
From: KoreLogic Disclosures <disclosures@...elogic.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] KL-001-2015-002 : Piriform CCleaner Wiped Filename Recovery

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2015-002 : Piriform CCleaner Wiped Filename Recovery

Title: Piriform CCleaner Wiped Filename Recovery
Advisory ID: KL-001-2015-002
Publication Date: 2015.05.18
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2015-002.txt


1. Vulnerability Details

     Affected Vendor: Piriform
     Affected Product: CCleaner
     Affected Version: 3.26.0.1988 - 5.02.5101
     Platform: Microsoft Windows 7 x64 Service Pack 1
     CWE Classification: CWE-200: Information Exposure
     Impact: Information Exposure
     Attack vector: Local
     CVE-ID: CVE-2015-3999

2. Vulnerability Description

     The use of CCleaner is encountered at times during forensic
     investigations of computer systems. It has a secure deletion
     mode where it can overwrite data, filenames, and free
     space. Overwriting files and filenames removes the chance to
     recover the data and subject it to further analyses. Due to
     how the software works, CCleaner will actually tell you the
     names of files that it wiped.

3. Technical Description

     Filenames are overwritten with the letter "Z" when CCleaner
     is tasked to overwrite files. On an NTFS formatted drive,
     the filename records in the Master File Table are replaced
     with the letter "Z". For example, a file named "TEST.TXT"
     will have each character in the name overwritten with the
     letter Z and will be renamed to "ZZZZ.ZZZ" after the process is
     completed. For example, as CCleaner was executing, the filename
     "TEST.TXT" was seen being written out to disk a few times,
     followed by the pattern "ZZZZ.ZZZ". The other filenames being
     overwritten were handled in the same fashion. This pattern of
     overwriting filesnames was found in the unallocated space of
     the hard drive. The search results looked like this:

       TEST.TXT
       TEST.TXT
       TEST.TXT
       ZZZZ.ZZZ
       ZZZZ.ZZZ
       ZZZZ.ZZZ

       TEST1.TXT
       TEST1.TXT
       TEST1.TXT
       ZZZZZ.ZZZ
       ZZZZZ.ZZZ
       ZZZZZ.ZZZ

     Once some original filenames are recovered, the analyst can
     attempt to use that to locate other references, or fragments in
     unallocated space, etc.

4. Mitigation and Remediation Recommendation

     None

5. Credit

     This vulnerability was discovered by Don Allison of KoreLogic
     Security, Inc.

6. Disclosure Timeline

     2015.02.18 - Initial contact; requested PGP key from Piriform.
     2015.02.23 - Second contact attempt.
     2015.02.25 - Piriform responds, asks for KoreLogic to submit
                  details to support@...iform.com.
     2015.03.02 - KoreLogic submits vulnerability report to Piriform.
     2015.03.02 - Piriform confirms receipt of the report.
     2015.04.22 - KoreLogic requests an update on the status of this
                  issue.
     2015.05.04 - 45 business days have elapsed since Piriform
                  acknowledged receipt of the KoreLogic report.
     2015.05.15 - KoreLogic requests CVE from Mitre.
     2015.05.15 - Mitre issues CVE-2015-3999.
     2015.05.18 - Public disclosure.

7. Proof of Concept

     N/A

The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVWj77AAoJEE1lmiwOGYkMk7EH/3vT8zR3kG5tJk+T+WQr1k4g
LQED7JEfL10XiwQooTihRbxOjG06oy1wRT1LJjnrg6iJFxg9q9IfHnzhYnV7Pm71
znZPLXtjGXP7HgwQp2rH2wMI+4q92Kd46G/nMXFezgqjGv32ctT/nHYrQWRYLRRs
1fivJgIiJ9iwaMylFvS5Lhzfo84nQ7xSALQjhOWVnfp+qomFFi7jIHUQF5B240AC
RFOwzyjwUPWshivZ5iccfBGLaLRLvSyiPLKCrRB+Ht8digB/epOXzxl6SF1ImPJc
XwzM7x+Tz7y1+ZypJr39zGh2yoltmCYC4qmfrQzfqZzrBpTRaJhsDvkK+VS7+4U=
=Ym/t
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ