-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2015-002 : Piriform CCleaner Wiped Filename Recovery Title: Piriform CCleaner Wiped Filename Recovery Advisory ID: KL-001-2015-002 Publication Date: 2015.05.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-002.txt 1. Vulnerability Details Affected Vendor: Piriform Affected Product: CCleaner Affected Version: 3.26.0.1988 - 5.02.5101 Platform: Microsoft Windows 7 x64 Service Pack 1 CWE Classification: CWE-200: Information Exposure Impact: Information Exposure Attack vector: Local CVE-ID: CVE-2015-3999 2. Vulnerability Description The use of CCleaner is encountered at times during forensic investigations of computer systems. It has a secure deletion mode where it can overwrite data, filenames, and free space. Overwriting files and filenames removes the chance to recover the data and subject it to further analyses. Due to how the software works, CCleaner will actually tell you the names of files that it wiped. 3. Technical Description Filenames are overwritten with the letter "Z" when CCleaner is tasked to overwrite files. On an NTFS formatted drive, the filename records in the Master File Table are replaced with the letter "Z". For example, a file named "TEST.TXT" will have each character in the name overwritten with the letter Z and will be renamed to "ZZZZ.ZZZ" after the process is completed. For example, as CCleaner was executing, the filename "TEST.TXT" was seen being written out to disk a few times, followed by the pattern "ZZZZ.ZZZ". The other filenames being overwritten were handled in the same fashion. This pattern of overwriting filesnames was found in the unallocated space of the hard drive. The search results looked like this: TEST.TXT TEST.TXT TEST.TXT ZZZZ.ZZZ ZZZZ.ZZZ ZZZZ.ZZZ TEST1.TXT TEST1.TXT TEST1.TXT ZZZZZ.ZZZ ZZZZZ.ZZZ ZZZZZ.ZZZ Once some original filenames are recovered, the analyst can attempt to use that to locate other references, or fragments in unallocated space, etc. 4. Mitigation and Remediation Recommendation None 5. Credit This vulnerability was discovered by Don Allison of KoreLogic Security, Inc. 6. Disclosure Timeline 2015.02.18 - Initial contact; requested PGP key from Piriform. 2015.02.23 - Second contact attempt. 2015.02.25 - Piriform responds, asks for KoreLogic to submit details to support@piriform.com. 2015.03.02 - KoreLogic submits vulnerability report to Piriform. 2015.03.02 - Piriform confirms receipt of the report. 2015.04.22 - KoreLogic requests an update on the status of this issue. 2015.05.04 - 45 business days have elapsed since Piriform acknowledged receipt of the KoreLogic report. 2015.05.15 - KoreLogic requests CVE from Mitre. 2015.05.15 - Mitre issues CVE-2015-3999. 2015.05.18 - Public disclosure. 7. Proof of Concept N/A The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJVWjaUAAoJEE1lmiwOGYkMy5QH/Rdwb22inN7E+EpYYEUJqLRS Z31Nsu8byn5owXdqBUiS2VXQIMQMN2IF1X+6j8o3NINLsRVqX2b/p0tqGkMeGzEQ cPoM/XWaNe7Q4b05cp491dUvUckpdKLmWPv+VWreub1bZQKN/yMzGXTQZ/VfsnqF nPvc1JNlEV+uu3L5HiXGlSskQxogRvsp1MC/RiazI1jEQjRvi3FblpzNq/nwIkSx yGEUduG17XEHRr0wKiPCJPSZLamhEsKnHnOyr5ErEQU4X9PsBpoyMH4LwN8iWb2d P/lePMDf0uW4e20X4dbK69lSG7PqJebJHvbgHnnv0ZhUIsq38gofywNNrtlQDOw= =igkL -----END PGP SIGNATURE-----