Microsoft Windows NTFS Information Disclosure

I. Synopsis

Affected Systems:
    * Microsoft Windows 2000
    * Microsoft Windows XP
    * Microsoft Windows Server 2003

Risk: Moderate
Impact: Local Information Leak
Status: Maintenance Release Planned (Uncoordinated release)
Author: Matthew Murphy (mattmurphy@kc.rr.com)
BugTraq ID: 7386

II. Product Description

"The Windows XP Professional operating system is the best choice for 
businesses of all sizes. Windows XP Professional integrates the 
strengths of Windows 2000 Professional, such as standards-based 
security, manageability, and reliability, with the best business 
features of Windows 98 and Windows Millennium Edition, such as Plug and 
Play, simplified user interface, and innovative support services. This 
combination creates the best desktop operating system for business. 
Whether your business deploys Windows XP Professional on a single 
computer or throughout a worldwide network, this new operating system 
increases your computing power while lowering cost of ownership for 
desktop computers."

(http://www.microsoft.com/windowsxp/pro/evaluation/features.asp)

"Windows XP Home Edition gives you the freedom to experience more than 
you ever thought possible with your computer and the Internet. This is 
the operating system home users have been waiting for-because it offers 
serious speed and serious stability, so you can have serious fun."

(http://www.microsoft.com/windowsxp/home/evaluation/overviews/default.asp)

III. Vulnerability Description

Among the features of Windows XP is the New Technology File System, or 
NTFS.  NTFS is designed as a reliable file system: it offers data 
encryption, access control, and is journaled to protect disk consistency 
in the event of unexpected shutdowns.

However, an apparent error in the NTFS driver's code causes the file 
system to incorrectly assign disk blocks to files before they have been 
initialized.  Following a recovery from a system shutdown, uninitialized 
data may be visible in files from previously allocated disk blocks.

Previously, this error condition was believed to be related to system 
shutdown timings.  BugTraq ID #7386 describes one instance of this bug, 
in the case of premature service shutdowns.  During more recent testing 
for other issues, it was uncovered that a service is NOT required to 
observe the behavior identified in the previous advisory.

The incidences of private data appearing in files can be tied to 
drivers, services, even typical user-mode applications.  Any time the 
system is shut down with a file open for writing, the behavior may 
occur.  There were several specific cases identified, including 
power/hardware failures, kernel STOPs (blue screens), or shutdowns 
initiated with the Win32 API InitiateSystemShutdown().  The common 
denominator between these cases is that open file handles are not closed 
before the system is shutdown.

Upon reboot, such files may contain data belonging to other users.  
Among data observed in lab tests were portions of an Administrator's 
purged Internet Explorer cache.  In many cases, this data is readable to 
users without privileges on the system (such as members of the Users or 
Guests groups).

IV. Impact

Local unprivileged users may gain access to confidential information 
that is stored on affected systems.  This may allow access to unrelated 
services such as web accounts, or further compromise of the affected 
system's host network.

V. Workarounds

None known.  Mission-critical systems should be protected from logins by 
untrusted users, according to industry-standard best practices.

VI. Vendor Response

The Microsoft Security Response Center was notified by e-mail when this 
issue was originally discovered more than two years ago.  MSRC was 
contacted again with updated information on the specific details of the 
flaw, in an attempt to assist a lab reproduction and a possible fix.  
MSRC chose to handle the incident as a "non-security issue", and 
directed the Windows product team to issue a Service Pack fix.

Citing the supposed difficulty of producing the behavior documented in 
this advisory, MSRC concluded that a security update to address the 
issue was not "justified".  Further, it was indicated to me that the 
MSRC would "not be driving" the release timeline for any fix. 

I usually refrain from commenting on vendors' patch policies, but the 
history of such maintenance releases from Redmond paints a disturbing 
picture.  Most likely, we can expect Microsoft to release this as an 
undocumented fix, or to delay as it did with the "Web Folder View" issue 
(reported on May 18, 2002, finally fixed in Windows XP Service Pack 2).  
In spite of repeated requests for a shorter, specific update timeframe 
(such as a PSS hotfix), MSRC refused to issue an unscheduled update of 
any kind.

Comparing Microsoft's response with the treatment of comparable, 
less-severe vulnerabilities in Linux drivers for ext3, et al (which 
required reading of the raw device) offers a telling indication of 
Microsoft's continued lip service to maintaining the security of its 
software, even after the "security overhaul" of Windows XP Service Pack 2.

VII. Contact

The author can be reached via e-mail at mattmurphy@kc.rr.com, or on AOL 
Instant Messenger screen name "NetAddict4109".