Go Back   Wireless and Wifi Forums > News > Newsgroups > comp.security.misc
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-22-2007, 05:02 PM
Security.Concerned.User@gmail.com
Guest
 
Posts: n/a
Default Secret Sector Backdoor / Security Breach

Hello everyone,

Recently I've realized that Windows XP Pro (SP1) secretly writes data
to hard-disk sector(s) that were beyond its
installation-partition boundaries; at that time I used a
basic Windows XP installation on a 3-GB partition,
and the rest of the harddisk was unformatted, for all Windows cared.

I should also mention that my WinXP partition is formatted on FAT32,
but I am capable of accessing NTFS partitions, if need be, using
NTFS4DOS, (which I didn't).

Obviously I was only able to have discovered that with
an MSDOS-run Disk Editor capable of accessing all 160 million
sectors of my 80GB hard disk, and making a text-based datafile
containing sector numbers (Cyl., Head, Sector + Index),
that was runnable under pure MSDOS mode avaiable by booting
from a BootCD / BootDVD.

I wasn't quite sure what the nature of that data was,
and whether or not it was a copy of the swapfile
(e.g., PageFile.SYS), or some other data off RAM,
or maybe password(s) or other sensitive data
that I may have been working on prior to re-booting
from my BootDVD.

So my questions are:

1. Would anybody be familiar with that sector-writing stuff?
2. If so, what is the nature of the data written?
3. Would password(s) typed at MSDOS-based program(s), run within
Dos-Box windows, be secretly saved there too?
4. How Am I do prevent that from happening?
5. How Am I to erase such data?

Thanks much,
SCU


Reply With Quote
  #2 (permalink)  
Old 10-22-2007, 10:30 PM
Mark Trimble
Guest
 
Posts: n/a
Default Re: Secret Sector Backdoor / Security Breach

Quoting Security.Concerned.User on Mon, 22 Oct 2007 17:02:09 +0000:

> Hello everyone,
>
> Recently I've realized that Windows XP Pro (SP1) secretly writes data to
> hard-disk sector(s) that were beyond its installation-partition
> boundaries; at that time I used a basic Windows XP installation on a
> 3-GB partition, and the rest of the harddisk was unformatted, for all
> Windows cared.
>
> I should also mention that my WinXP partition is formatted on FAT32, but
> I am capable of accessing NTFS partitions, if need be, using NTFS4DOS,
> (which I didn't).
>
> Obviously I was only able to have discovered that with an MSDOS-run Disk
> Editor capable of accessing all 160 million sectors of my 80GB hard
> disk, and making a text-based datafile containing sector numbers (Cyl.,
> Head, Sector + Index), that was runnable under pure MSDOS mode avaiable
> by booting from a BootCD / BootDVD.
>
> I wasn't quite sure what the nature of that data was, and whether or not
> it was a copy of the swapfile (e.g., PageFile.SYS), or some other data
> off RAM, or maybe password(s) or other sensitive data that I may have
> been working on prior to re-booting from my BootDVD.
>
> So my questions are:
>
> 1. Would anybody be familiar with that sector-writing stuff? 2. If so,
> what is the nature of the data written? 3. Would password(s) typed at
> MSDOS-based program(s), run within
> Dos-Box windows, be secretly saved there too?
> 4. How Am I do prevent that from happening? 5. How Am I to erase such
> data?
>
> Thanks much,
> SCU


Problem exists between keyboard and chair.

There is NO way the OS can write beyond the partition; for the OS, the
rest of the drive does not exist.

Reply With Quote
  #3 (permalink)  
Old 10-22-2007, 11:00 PM
Sebastian G.
Guest
 
Posts: n/a
Default Re: Secret Sector Backdoor / Security Breach

Mark Trimble wrote:


> Problem exists between keyboard and chair.



Likely, but not clear from the mentioned stuff.

> There is NO way the OS can write beyond the partition;



It can. Trivially. It has RAW access to the drive, and not touching various
partition is a self-respecting limitation of the volume manager.

> for the OS, the rest of the drive does not exist.



Of course it does. It just typically doesn't care unless you instruct it to
do so.

As for what I think it could be: Windows read the partition table and found
it to be incorrect/inconsistent/imprecise, and therefore corrected it. Maybe
it was an x64 version and added an additional GUID-based partition table.
Maybe it considered the other partition as a dynamic volume and wrote a
specific signature into it.

Or, most likely, it's just the user seeing things that aren't there.

Reply With Quote
  #4 (permalink)  
Old 10-23-2007, 02:51 PM
xpyttl
Guest
 
Posts: n/a
Default Re: Secret Sector Backdoor / Security Breach


"Sebastian G." <seppi@seppig.de> wrote in message
news:5o4obpFkpv93U1@mid.dfncis.de...

> Or, most likely, it's just the user seeing things that aren't there.


A number of manufacturers include a small, non-Windows partition to store
BIOS configuration information and some limited set of Windows configuration
files. In principle, they can then restore a completely dead system to at
least working in a relatively automated fashion. I've also seen laptop
manufacturers keep their hibernate image on a "hidden" partition, although I
haven't seen that in a while.

...



Reply With Quote
  #5 (permalink)  
Old 10-23-2007, 07:30 PM
Frank Slootweg
Guest
 
Posts: n/a
Default Re: Secret Sector Backdoor / Security Breach

Security.Concerned.User@gmail.com wrote:
> Hello everyone,
>
> Recently I've realized that Windows XP Pro (SP1) secretly writes data
> to hard-disk sector(s) that were beyond its
> installation-partition boundaries; at that time I used a
> basic Windows XP installation on a 3-GB partition,
> and the rest of the harddisk was unformatted, for all Windows cared.


Was the XP partition the *first* partition (C:)? If not, then there's
your answer, because XP needs stuff on C: to boot.

Is your XP software a *retail* version (i.e. a box which you bought in
a store), or an 'OEM' version which came with your/a computer? If the
latter, than it may contain extra software which is stored in a hidden
partition. For example my HP OmniBook vt6200 has a hidden partition with
diagnostic programs.

As xpyttl mentioned, it may well be a hibernate partition. XP normally
uses a hibernate file, but IIRC it can still use a hibernate partition
(like Windows 2000).

BTW. *how* did you determine that XP/something writes beyond the
partition? You mentioned the *tool* you used ("an MSDOS-run Disk
Editor"), but not what the tool *showed*, let alone what made you look
in the first place.

[...]

Reply With Quote
Reply


« Backup SW /w Encryption and Remote Storage | A tool for mirroring HTTP stream »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secret Sector Backdoor / Security Breach Security.Concerned.User@gmail.com alt.computer.security 0 10-22-2007 05:02 PM
Doctor Who's security & encryption FAQ v21.4 newsmanis@yahoo.com.au alt.computer.security 0 10-10-2007 09:34 PM
Siemens secret codes engy uk.telecom.mobile 4 11-09-2006 06:18 AM
Secret Dot Colour Code on Printers Broken nemo_outis alt.computer.security 0 10-18-2005 04:12 AM


All times are GMT. The time now is 03:52 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45