Secret Sector Backdoor / Security Breach
Secret Sector Backdoor / Security Breach
am 22.10.2007 19:02:09 von Security.Concerned.User
Hello everyone,
Recently I've realized that Windows XP Pro (SP1) secretly writes data
to hard-disk sector(s) that were beyond its
installation-partition boundaries; at that time I used a
basic Windows XP installation on a 3-GB partition,
and the rest of the harddisk was unformatted, for all Windows cared.
I should also mention that my WinXP partition is formatted on FAT32,
but I am capable of accessing NTFS partitions, if need be, using
NTFS4DOS, (which I didn't).
Obviously I was only able to have discovered that with
an MSDOS-run Disk Editor capable of accessing all 160 million
sectors of my 80GB hard disk, and making a text-based datafile
containing sector numbers (Cyl., Head, Sector + Index),
that was runnable under pure MSDOS mode avaiable by booting
from a BootCD / BootDVD.
I wasn't quite sure what the nature of that data was,
and whether or not it was a copy of the swapfile
(e.g., PageFile.SYS), or some other data off RAM,
or maybe password(s) or other sensitive data
that I may have been working on prior to re-booting
from my BootDVD.
So my questions are:
1. Would anybody be familiar with that sector-writing stuff?
2. If so, what is the nature of the data written?
3. Would password(s) typed at MSDOS-based program(s), run within
Dos-Box windows, be secretly saved there too?
4. How Am I do prevent that from happening?
5. How Am I to erase such data?
Thanks much,
SCU
Re: Secret Sector Backdoor / Security Breach
am 23.10.2007 00:30:09 von M Trimble
Quoting Security.Concerned.User on Mon, 22 Oct 2007 17:02:09 +0000:
> Hello everyone,
>
> Recently I've realized that Windows XP Pro (SP1) secretly writes data to
> hard-disk sector(s) that were beyond its installation-partition
> boundaries; at that time I used a basic Windows XP installation on a
> 3-GB partition, and the rest of the harddisk was unformatted, for all
> Windows cared.
>
> I should also mention that my WinXP partition is formatted on FAT32, but
> I am capable of accessing NTFS partitions, if need be, using NTFS4DOS,
> (which I didn't).
>
> Obviously I was only able to have discovered that with an MSDOS-run Disk
> Editor capable of accessing all 160 million sectors of my 80GB hard
> disk, and making a text-based datafile containing sector numbers (Cyl.,
> Head, Sector + Index), that was runnable under pure MSDOS mode avaiable
> by booting from a BootCD / BootDVD.
>
> I wasn't quite sure what the nature of that data was, and whether or not
> it was a copy of the swapfile (e.g., PageFile.SYS), or some other data
> off RAM, or maybe password(s) or other sensitive data that I may have
> been working on prior to re-booting from my BootDVD.
>
> So my questions are:
>
> 1. Would anybody be familiar with that sector-writing stuff? 2. If so,
> what is the nature of the data written? 3. Would password(s) typed at
> MSDOS-based program(s), run within
> Dos-Box windows, be secretly saved there too?
> 4. How Am I do prevent that from happening? 5. How Am I to erase such
> data?
>
> Thanks much,
> SCU
Problem exists between keyboard and chair.
There is NO way the OS can write beyond the partition; for the OS, the
rest of the drive does not exist.
Re: Secret Sector Backdoor / Security Breach
am 23.10.2007 01:00:29 von Sebastian Gottschalk
Mark Trimble wrote:
> Problem exists between keyboard and chair.
Likely, but not clear from the mentioned stuff.
> There is NO way the OS can write beyond the partition;
It can. Trivially. It has RAW access to the drive, and not touching various
partition is a self-respecting limitation of the volume manager.
> for the OS, the rest of the drive does not exist.
Of course it does. It just typically doesn't care unless you instruct it to
do so.
As for what I think it could be: Windows read the partition table and found
it to be incorrect/inconsistent/imprecise, and therefore corrected it. Maybe
it was an x64 version and added an additional GUID-based partition table.
Maybe it considered the other partition as a dynamic volume and wrote a
specific signature into it.
Or, most likely, it's just the user seeing things that aren't there.
Re: Secret Sector Backdoor / Security Breach
am 23.10.2007 16:51:03 von xpyttl
"Sebastian G." wrote in message
news:5o4obpFkpv93U1@mid.dfncis.de...
> Or, most likely, it's just the user seeing things that aren't there.
A number of manufacturers include a small, non-Windows partition to store
BIOS configuration information and some limited set of Windows configuration
files. In principle, they can then restore a completely dead system to at
least working in a relatively automated fashion. I've also seen laptop
manufacturers keep their hibernate image on a "hidden" partition, although I
haven't seen that in a while.
...
Re: Secret Sector Backdoor / Security Breach
am 23.10.2007 21:30:52 von Frank Slootweg
Security.Concerned.User@gmail.com wrote:
> Hello everyone,
>
> Recently I've realized that Windows XP Pro (SP1) secretly writes data
> to hard-disk sector(s) that were beyond its
> installation-partition boundaries; at that time I used a
> basic Windows XP installation on a 3-GB partition,
> and the rest of the harddisk was unformatted, for all Windows cared.
Was the XP partition the *first* partition (C:)? If not, then there's
your answer, because XP needs stuff on C: to boot.
Is your XP software a *retail* version (i.e. a box which you bought in
a store), or an 'OEM' version which came with your/a computer? If the
latter, than it may contain extra software which is stored in a hidden
partition. For example my HP OmniBook vt6200 has a hidden partition with
diagnostic programs.
As xpyttl mentioned, it may well be a hibernate partition. XP normally
uses a hibernate file, but IIRC it can still use a hibernate partition
(like Windows 2000).
BTW. *how* did you determine that XP/something writes beyond the
partition? You mentioned the *tool* you used ("an MSDOS-run Disk
Editor"), but not what the tool *showed*, let alone what made you look
in the first place.
[...]