Secret Sector Backdoor / Security Breach

Secret Sector Backdoor / Security Breach

am 22.10.2007 19:02:09 von Security.Concerned.User

Hello everyone,

Recently I've realized that Windows XP Pro (SP1) secretly writes data
to hard-disk sector(s) that were beyond its
installation-partition boundaries; at that time I used a
basic Windows XP installation on a 3-GB partition,
and the rest of the harddisk was unformatted, for all Windows cared.

I should also mention that my WinXP partition is formatted on FAT32,
but I am capable of accessing NTFS partitions, if need be, using
NTFS4DOS, (which I didn't).

Obviously I was only able to have discovered that with
an MSDOS-run Disk Editor capable of accessing all 160 million
sectors of my 80GB hard disk, and making a text-based datafile
containing sector numbers (Cyl., Head, Sector + Index),
that was runnable under pure MSDOS mode avaiable by booting
from a BootCD / BootDVD.

I wasn't quite sure what the nature of that data was,
and whether or not it was a copy of the swapfile
(e.g., PageFile.SYS), or some other data off RAM,
or maybe password(s) or other sensitive data
that I may have been working on prior to re-booting
from my BootDVD.

So my questions are:

1. Would anybody be familiar with that sector-writing stuff?
2. If so, what is the nature of the data written?
3. Would password(s) typed at MSDOS-based program(s), run within
Dos-Box windows, be secretly saved there too?
4. How Am I do prevent that from happening?
5. How Am I to erase such data?

Thanks much,
SCU

Re: Secret Sector Backdoor / Security Breach

am 23.10.2007 00:30:09 von M Trimble

Quoting Security.Concerned.User on Mon, 22 Oct 2007 17:02:09 +0000:

> Hello everyone,
>
> Recently I've realized that Windows XP Pro (SP1) secretly writes data to
> hard-disk sector(s) that were beyond its installation-partition
> boundaries; at that time I used a basic Windows XP installation on a
> 3-GB partition, and the rest of the harddisk was unformatted, for all
> Windows cared.
>
> I should also mention that my WinXP partition is formatted on FAT32, but
> I am capable of accessing NTFS partitions, if need be, using NTFS4DOS,
> (which I didn't).
>
> Obviously I was only able to have discovered that with an MSDOS-run Disk
> Editor capable of accessing all 160 million sectors of my 80GB hard
> disk, and making a text-based datafile containing sector numbers (Cyl.,
> Head, Sector + Index), that was runnable under pure MSDOS mode avaiable
> by booting from a BootCD / BootDVD.
>
> I wasn't quite sure what the nature of that data was, and whether or not
> it was a copy of the swapfile (e.g., PageFile.SYS), or some other data
> off RAM, or maybe password(s) or other sensitive data that I may have
> been working on prior to re-booting from my BootDVD.
>
> So my questions are:
>
> 1. Would anybody be familiar with that sector-writing stuff? 2. If so,
> what is the nature of the data written? 3. Would password(s) typed at
> MSDOS-based program(s), run within
> Dos-Box windows, be secretly saved there too?
> 4. How Am I do prevent that from happening? 5. How Am I to erase such
> data?
>
> Thanks much,
> SCU

Problem exists between keyboard and chair.

There is NO way the OS can write beyond the partition; for the OS, the
rest of the drive does not exist.

Re: Secret Sector Backdoor / Security Breach

am 23.10.2007 01:00:29 von Sebastian Gottschalk

Mark Trimble wrote:


> Problem exists between keyboard and chair.


Likely, but not clear from the mentioned stuff.

> There is NO way the OS can write beyond the partition;


It can. Trivially. It has RAW access to the drive, and not touching various
partition is a self-respecting limitation of the volume manager.

> for the OS, the rest of the drive does not exist.


Of course it does. It just typically doesn't care unless you instruct it to
do so.

As for what I think it could be: Windows read the partition table and found
it to be incorrect/inconsistent/imprecise, and therefore corrected it. Maybe
it was an x64 version and added an additional GUID-based partition table.
Maybe it considered the other partition as a dynamic volume and wrote a
specific signature into it.

Or, most likely, it's just the user seeing things that aren't there.

Re: Secret Sector Backdoor / Security Breach

am 23.10.2007 16:51:03 von xpyttl

"Sebastian G." wrote in message
news:5o4obpFkpv93U1@mid.dfncis.de...

> Or, most likely, it's just the user seeing things that aren't there.

A number of manufacturers include a small, non-Windows partition to store
BIOS configuration information and some limited set of Windows configuration
files. In principle, they can then restore a completely dead system to at
least working in a relatively automated fashion. I've also seen laptop
manufacturers keep their hibernate image on a "hidden" partition, although I
haven't seen that in a while.

...

Re: Secret Sector Backdoor / Security Breach

am 23.10.2007 21:30:52 von Frank Slootweg

Security.Concerned.User@gmail.com wrote:
> Hello everyone,
>
> Recently I've realized that Windows XP Pro (SP1) secretly writes data
> to hard-disk sector(s) that were beyond its
> installation-partition boundaries; at that time I used a
> basic Windows XP installation on a 3-GB partition,
> and the rest of the harddisk was unformatted, for all Windows cared.

Was the XP partition the *first* partition (C:)? If not, then there's
your answer, because XP needs stuff on C: to boot.

Is your XP software a *retail* version (i.e. a box which you bought in
a store), or an 'OEM' version which came with your/a computer? If the
latter, than it may contain extra software which is stored in a hidden
partition. For example my HP OmniBook vt6200 has a hidden partition with
diagnostic programs.

As xpyttl mentioned, it may well be a hibernate partition. XP normally
uses a hibernate file, but IIRC it can still use a hibernate partition
(like Windows 2000).

BTW. *how* did you determine that XP/something writes beyond the
partition? You mentioned the *tool* you used ("an MSDOS-run Disk
Editor"), but not what the tool *showed*, let alone what made you look
in the first place.

[...]