Skip to main content
Security Advisory

Piriform CCleaner Wiped Filename Recovery

Advisory ID
KL-001-2015-002
CVE ID
CVE-2015-3999
Published
2015-05-18
Vendor
Piriform

Affected Systems

Product
CCleaner
Version
3.26.0.1988 - 5.02.5101
Platform
Microsoft Windows 7 x64 Service Pack 1

Discovered By

Don Allison (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Piriform
Affected Product: CCleaner
Affected Version: 3.26.0.1988 - 5.02.5101
Platform: Microsoft Windows 7 x64 Service Pack 1
CWE Classification: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Impact: Information Exposure
Attack Vector: Local
CVE ID: CVE-2015-3999

Vulnerability Description

The use of CCleaner is encountered at times during forensic investigations of computer systems. It has a secure deletion mode where it can overwrite data, filenames, and free space. Overwriting files and filenames removes the chance to recover the data and subject it to further analyses. Due to how the software works, CCleaner will actually tell you the names of files that it wiped.

Technical Description

Filenames are overwritten with the letter “Z” when CCleaner is tasked to overwrite files. On an NTFS formatted drive, the filename records in the Master File Table are replaced with the letter “Z”. For example, a file named “TEST.TXT” will have each character in the name overwritten with the letter Z and will be renamed to “ZZZZ.ZZZ” after the process is completed. For example, as CCleaner was executing, the filename “TEST.TXT” was seen being written out to disk a few times, followed by the pattern “ZZZZ.ZZZ”. The other filenames being overwritten were handled in the same fashion. This pattern of overwriting filenames was found in the unallocated space of the hard drive. The search results looked like this:

TEST.TXT
TEST.TXT
TEST.TXT
ZZZZ.ZZZ
ZZZZ.ZZZ
ZZZZ.ZZZ

TEST1.TXT
TEST1.TXT
TEST1.TXT
ZZZZZ.ZZZ
ZZZZZ.ZZZ
ZZZZZ.ZZZ

Once some original filenames are recovered, the analyst can attempt to use that to locate other references, or fragments in unallocated space, etc.

Mitigation and Remediation Recommendation

None

Credit

This vulnerability was discovered by Don Allison of KoreLogic Security, Inc.

Proof of Concept

N/A

The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt

Disclosure Timeline

Initial contact; requested PGP key from Piriform.

Second contact attempt.

Piriform responds, asks for KoreLogic to submit details to support@piriform.com.

KoreLogic submits vulnerability report to Piriform.

Piriform confirms receipt of the report.

KoreLogic requests an update on the status of this issue.

45 business days have elapsed since Piriform acknowledged receipt of the KoreLogic report.

KoreLogic requests CVE from Mitre.

Mitre issues CVE-2015-3999.

Public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt