Affected Systems
Discovered By
Vulnerability Details
Vulnerability Description
The use of CCleaner is encountered at times during forensic investigations of computer systems. It has a secure deletion mode where it can overwrite data, filenames, and free space. Overwriting files and filenames removes the chance to recover the data and subject it to further analyses. Due to how the software works, CCleaner will actually tell you the names of files that it wiped.
Technical Description
Filenames are overwritten with the letter “Z” when CCleaner is tasked to overwrite files. On an NTFS formatted drive, the filename records in the Master File Table are replaced with the letter “Z”. For example, a file named “TEST.TXT” will have each character in the name overwritten with the letter Z and will be renamed to “ZZZZ.ZZZ” after the process is completed. For example, as CCleaner was executing, the filename “TEST.TXT” was seen being written out to disk a few times, followed by the pattern “ZZZZ.ZZZ”. The other filenames being overwritten were handled in the same fashion. This pattern of overwriting filenames was found in the unallocated space of the hard drive. The search results looked like this:
TEST.TXT
TEST.TXT
TEST.TXT
ZZZZ.ZZZ
ZZZZ.ZZZ
ZZZZ.ZZZ
TEST1.TXT
TEST1.TXT
TEST1.TXT
ZZZZZ.ZZZ
ZZZZZ.ZZZ
ZZZZZ.ZZZOnce some original filenames are recovered, the analyst can attempt to use that to locate other references, or fragments in unallocated space, etc.
Mitigation and Remediation Recommendation
None
Credit
This vulnerability was discovered by Don Allison of KoreLogic Security, Inc.
Proof of Concept
N/A
The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
Disclosure Timeline
Initial contact; requested PGP key from Piriform.
Second contact attempt.
Piriform responds, asks for KoreLogic to submit details to support@piriform.com.
KoreLogic submits vulnerability report to Piriform.
Piriform confirms receipt of the report.
KoreLogic requests an update on the status of this issue.
45 business days have elapsed since Piriform acknowledged receipt of the KoreLogic report.
KoreLogic requests CVE from Mitre.
Mitre issues CVE-2015-3999.
Public disclosure.
Responsible Disclosure
KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.