Microsoft Windows NTFS Information Disclosure I. Synopsis Affected Systems: * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows Server 2003 Risk: Moderate Impact: Local Information Leak Status: Maintenance Release Planned (Uncoordinated release) Author: Matthew Murphy (mattmurphy@kc.rr.com) BugTraq ID: 7386 II. Product Description "The Windows XP Professional operating system is the best choice for businesses of all sizes. Windows XP Professional integrates the strengths of Windows 2000 Professional, such as standards-based security, manageability, and reliability, with the best business features of Windows 98 and Windows Millennium Edition, such as Plug and Play, simplified user interface, and innovative support services. This combination creates the best desktop operating system for business. Whether your business deploys Windows XP Professional on a single computer or throughout a worldwide network, this new operating system increases your computing power while lowering cost of ownership for desktop computers." (http://www.microsoft.com/windowsxp/pro/evaluation/features.asp) "Windows XP Home Edition gives you the freedom to experience more than you ever thought possible with your computer and the Internet. This is the operating system home users have been waiting for-because it offers serious speed and serious stability, so you can have serious fun." (http://www.microsoft.com/windowsxp/home/evaluation/overviews/default.asp) III. Vulnerability Description Among the features of Windows XP is the New Technology File System, or NTFS. NTFS is designed as a reliable file system: it offers data encryption, access control, and is journaled to protect disk consistency in the event of unexpected shutdowns. However, an apparent error in the NTFS driver's code causes the file system to incorrectly assign disk blocks to files before they have been initialized. Following a recovery from a system shutdown, uninitialized data may be visible in files from previously allocated disk blocks. Previously, this error condition was believed to be related to system shutdown timings. BugTraq ID #7386 describes one instance of this bug, in the case of premature service shutdowns. During more recent testing for other issues, it was uncovered that a service is NOT required to observe the behavior identified in the previous advisory. The incidences of private data appearing in files can be tied to drivers, services, even typical user-mode applications. Any time the system is shut down with a file open for writing, the behavior may occur. There were several specific cases identified, including power/hardware failures, kernel STOPs (blue screens), or shutdowns initiated with the Win32 API InitiateSystemShutdown(). The common denominator between these cases is that open file handles are not closed before the system is shutdown. Upon reboot, such files may contain data belonging to other users. Among data observed in lab tests were portions of an Administrator's purged Internet Explorer cache. In many cases, this data is readable to users without privileges on the system (such as members of the Users or Guests groups). IV. Impact Local unprivileged users may gain access to confidential information that is stored on affected systems. This may allow access to unrelated services such as web accounts, or further compromise of the affected system's host network. V. Workarounds None known. Mission-critical systems should be protected from logins by untrusted users, according to industry-standard best practices. VI. Vendor Response The Microsoft Security Response Center was notified by e-mail when this issue was originally discovered more than two years ago. MSRC was contacted again with updated information on the specific details of the flaw, in an attempt to assist a lab reproduction and a possible fix. MSRC chose to handle the incident as a "non-security issue", and directed the Windows product team to issue a Service Pack fix. Citing the supposed difficulty of producing the behavior documented in this advisory, MSRC concluded that a security update to address the issue was not "justified". Further, it was indicated to me that the MSRC would "not be driving" the release timeline for any fix. I usually refrain from commenting on vendors' patch policies, but the history of such maintenance releases from Redmond paints a disturbing picture. Most likely, we can expect Microsoft to release this as an undocumented fix, or to delay as it did with the "Web Folder View" issue (reported on May 18, 2002, finally fixed in Windows XP Service Pack 2). In spite of repeated requests for a shorter, specific update timeframe (such as a PSS hotfix), MSRC refused to issue an unscheduled update of any kind. Comparing Microsoft's response with the treatment of comparable, less-severe vulnerabilities in Linux drivers for ext3, et al (which required reading of the raw device) offers a telling indication of Microsoft's continued lip service to maintaining the security of its software, even after the "security overhaul" of Windows XP Service Pack 2. VII. Contact The author can be reached via e-mail at mattmurphy@kc.rr.com, or on AOL Instant Messenger screen name "NetAddict4109".