Windows 2000 EFS Temporary File Retrieval Vulnerability
BID:2243
Info
Windows 2000 EFS Temporary File Retrieval Vulnerability
| Bugtraq ID: | 2243 |
| Class: | Design Error |
| CVE: |
CVE-2001-0261 |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 19 2001 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | This vulnerability was first announced by Rickard Berglind <[email protected]> on January 19, 2001 via Bugtraq. |
| Vulnerable: |
Microsoft Windows 2000 Terminal Services SP2 Microsoft Windows 2000 Terminal Services SP1 Microsoft Windows 2000 Terminal Services Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: | |
Discussion
Windows 2000 EFS Temporary File Retrieval Vulnerability
EFS is the encrypted file system package designed to secure sensitive information. It is included with the Windows 2000 Operating System, distributed and maintained by Microsoft Corporation.
A problem in the package could allow the recovery of sensitive data encrypted by the EFS. When the file is selected for encryption, and backup copy of the file is moved into the temporary directory using the file name efs0.tmp. The data from this file is taken and encrypted using EFS, with the backup file being deleted after the encryption process is performed. However, after the file is encrypted and the file is deleted, the blocks in the file system are never cleared, thus making it possible for a any user on the local host to access the data of the encrypted file, which falls outside of the constrains of access control imposed by the Operating System. This makes it possible for a malicious user to recover sensitive data encrypted by EFS.
EFS is the encrypted file system package designed to secure sensitive information. It is included with the Windows 2000 Operating System, distributed and maintained by Microsoft Corporation.
A problem in the package could allow the recovery of sensitive data encrypted by the EFS. When the file is selected for encryption, and backup copy of the file is moved into the temporary directory using the file name efs0.tmp. The data from this file is taken and encrypted using EFS, with the backup file being deleted after the encryption process is performed. However, after the file is encrypted and the file is deleted, the blocks in the file system are never cleared, thus making it possible for a any user on the local host to access the data of the encrypted file, which falls outside of the constrains of access control imposed by the Operating System. This makes it possible for a malicious user to recover sensitive data encrypted by EFS.
Exploit / POC
Windows 2000 EFS Temporary File Retrieval Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Windows 2000 EFS Temporary File Retrieval Vulnerability
Solution:
Microsoft has released a tool (Cipher.exe) which will assist in the removal of deleted data on the hard disk:
http://support.microsoft.com/support/kb/articles/Q298/0/09.ASP
Solution:
Microsoft has released a tool (Cipher.exe) which will assist in the removal of deleted data on the hard disk:
http://support.microsoft.com/support/kb/articles/Q298/0/09.ASP
References
Windows 2000 EFS Temporary File Retrieval Vulnerability
References:
References:
- Cipher.exe Security Tool for the Encrypting File System (Microsoft)
- Windows 2000 Encrypted File System Weaknesses (Colman Communications)