FW: NTFS and PGP interact to expose EFS encrypted data

Thu May 9 09:48:31 EDT 2002

--- begin forwarded text

Status:  U
From: Somebody
Subject: FW: NTFS and PGP interact to expose EFS encrypted data
Date: Thu, 9 May 2002 10:22:22 +0100
Thread-Topic: NTFS and PGP interact to expose EFS encrypted data
To: <rah at shipwright.com>

-----Original Message-----
From: Somebody Else
Sent: 09 May 2002 09:23
Subject: FW: NTFS and PGP interact to expose EFS encrypted data

FYI.

One wonders why M$ couldn't engineer a disk encryption system that
didn't depend on user-visible temp files...

<Somebody Else's .sig>

-----Original Message-----
From: rjones
Sent: 08 May 2002 20:34
To: Russ.Cooper; bugtraq
Cc: rjones
Subject: NTFS and PGP interact to expose EFS encrypted data

NTFS and PGP interact to expose EFS encrypted data
© 2002 Ry Jones, Airgap Networks.

Summary:
NTFS, a feature of Windows XP, supports an "encrypted" attribute. PGP
7.0.3 Freeware, a product of Network Associates, supports wiping
files as they are deleted. If you enable file wiping and then set the
"encrypted" attribute on a folder, copies of the contents are left
un-encrypted on the file system.

Details:
As explorer works it's way through the file system encrypting the
contents, it first renames the source file to a name in the format of
"EFSn.TMP" where n is an increasing series of integers starting at 0.
It then encrypts the file into a target file with the same name as
the original. The permissions on the temp file are set to a very
restrictive level; the temp file is then deleted. However, if you
have set PGP to wipe deleted files, it appears PGP intercepts the
deletion of the file. PGP, running as the user, has insufficient
privilege to delete the file, and leaves the temp file in place.

Anyone who recovers the hard drive can take ownership of these temp
files and read them. Also, in the default setting, hidden files are
not shown in explorer, so a user may not be aware that the temp files
exist at all. Any administrator may take ownership of the temp files
and read the data.

Repro:
1: create a directory "efs-pgp-interaction-bug". Copy a text file
into the directory.
2: right click on the PGP icon. Set the "Automatically wipe on
delete" flag. Click OK.
3: right click on the "efs-pgp-interaction-bug" directory in
explorer. Click properties, advanced, and check the "Encrypt contents
to secure data" flag. Click OK, OK.
4: double click on efs-pgp-interaction-bug. If you have set the "show
hidden files and folders" flag (tools, folder options, view, show
hidden files and folders, OK) you well see the EFSn.TMP files.
Attempting to open the temp files will result in an error (depending
on application). Vim reports "[Permission Denied]".
5: hit the backspace key. Right click on the efs-pgp-interaction-bug
directory. Select sharing and security; select security, advanced.
Check the "replace permission entries on all child objectsŠ" check
box and click OK. Click "Yes", "OK".
6: Re-open efs-pgp-interaction-bug and right click on the temp file
(EFS0.TMP). Select Open With, Notepad. View your file.

Workaround:
Do not enable PGP's Wipe Deleted Files option if you are using
Encrypted NTFS.

Vendor Response:

This issue has been resolved, and a hot fix for PGP Desktop Security
v7.0.x, PGP Corporate Desktop v7.1.x and PGPfreeware v7.0.x (all for
Windows 2000) is available at
<http://www.nai.com/naicommon/download/upgrade/upgrades-patch.asp>http://www.nai.com/naicommon/download/upgrade/upgrades-patch.asp.

Users should be aware that Win2K EFS does NOT wipe the contents of
files that are encrypted according to the steps above.  The PGP Wipe
Free Space feature to ensure that the clear text has been wiped.

Discovered: 10 MAR 2002
Sent to vendors: 17 MAR 2002
Submitted to NTBugtraq, Bugtraq: 08 MAY 2002

Thanks to: Russ of NTBugtraq for driving the issue with Microsoft and
NAI much more effectively than I ever would have. There never would
have been a resolution without his efforts.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPNl9sxLoz2rGojSMEQIqXACg0CbHJHJOm0bh9gqBfr5HvdIz+ZAAn2Ve
HOJ1qt1tkX7wnU5qpQxOOXiU
=0LBF
-----END PGP SIGNATURE-----

<Various nested incriminating .sigs elided...>
--- end forwarded text

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com