CVE-2023-4001: a vulnerability in the (downstream) GRUB boot manager
My DFIR Blog
by msuhanov
2M ago
One can set a password to protect the boot menu entries and the command-line shell of the GRUB boot manager (see the official manual and the Red Hat manual). This is an additional security measure to be used along with a BIOS/UEFI password (e.g., to protect corporate computers from unprivileged users trying to leverage their physical access to boot another operating system or to escalate the privileges in an installed operating system). Under the hood, this feature is implemented as two GRUB commands: “password” and “password_pbkdf2“. When one of these commands is issued with a proper set of a ..read more
Visit website
Bringing unallocated data back: the FAT12/16/32 case
My DFIR Blog
by msuhanov
5M ago
Modern operating systems provide a way to increase the size of a given file without writing to it. In Unix-like operating systems, this is achieved through the truncate() and ftruncate() system calls. These calls allow programs to decrease or increase the file size. If the file size is decreased, data beyond the new end-of-file position is discarded (it can survive as deleted data, but there is no way to bring these bytes back by restoring the original file size). If the file size is increased, extra data (data after the old end-of-file position) is filled with null bytes. Internally, many mod ..read more
Visit website
CVE-2023-4692, CVE-2023-4693: vulnerabilities in the GRUB boot manager
My DFIR Blog
by msuhanov
6M ago
The GRUB boot manager is more an operating system than a boot loader. For example, it has more than 20 file system types supported! This is a really wide attack surface… And, currently, GRUB is the default choice in the Secure Boot implementation using Microsoft-signed shims (but things are moving forward). Some time ago, I discovered two vulnerabilities (or three vulnerabilities, if we count a security issue which is almost unexploitable) in the NTFS driver of the GRUB boot manager. And here are some technical details… A heap overflow (CVE-2023-4692) The GRUB boot manager has some legacy code ..read more
Visit website
CVE-2023-4273: a vulnerability in the Linux exFAT driver
My DFIR Blog
by msuhanov
7M ago
According to the exFAT file system specification, the maximum length of a file name is 255 characters (UTF-16LE): The FileName field shall contain a Unicode string, which is a portion of the file name. In the order File Name directory entries exist in a File directory entry set, FileName fields concatenate to form the file name for the File directory entry set. Given the length of the FileName field, 15 characters, and the maximum number of File Name directory entries, 17, the maximum length of the final, concatenated file name is 255. This limit wasn’t really enforced in the exFAT driver of ..read more
Visit website
Do researchers handle exFAT volumes correctly?
My DFIR Blog
by msuhanov
1y ago
Let’s conduct a simple experiment. In the Ext4 file system, I create two files (“1.txt” and “2.txt”). touch 1.txt 2.txt Then, I gather file system metadata (including timestamps) for these files: sudo debugfs -R 'stat /path_to/the_file/1.txt' /dev/block_device sudo debugfs -R 'stat /path_to/the_file/2.txt' /dev/block_device In my case, the output is: For “1.txt”: Inode: 23918802 Type: regular Mode: 0644 Flags: 0x80000 Generation: 2882061095 Version: 0x00000000:00000001 User: 1000 Group: 1000 Project: 0 Size: 0 File ACL: 0 Links: 1 Blockcount: 0 Fragment: Address ..read more
Visit website
ExFAT: orphan file name entries
My DFIR Blog
by msuhanov
2y ago
The exFAT file system was designed with Unicode file names and optional vendor-specific extensions in mind. To keep things simple, the file system specification allows the usage of multiple directory entries to describe a single file (so, additional file metadata is described in additional directory entries). This solution is similar to the VFAT extension for the FAT12/16/32 file systems, which was designed as a hack to the original file system format (originally, only one directory entry was used to describe a single file, so long file names were implemented as additional directory entries, w ..read more
Visit website
MacOS & FAT directories
My DFIR Blog
by msuhanov
2y ago
Previously, I wrote about things you probably didn’t know about FAT. Now, let’s continue the story! In FAT12/16/32 file systems, each directory (except the root directory) contains two special entries: dot (“.”); dot-dot (“..”). The first one (dot) refers to the directory itself, while the second one (dot-dot) refers to the parent directory. Apparently, these entries were introduced to keep file system implementations simple, so there is no need to generate those entries on the fly (this is what happens to file systems not wasting their space to store dot and dot-dot entries in every directo ..read more
Visit website
Things you probably didn’t know about FAT
My DFIR Blog
by msuhanov
2y ago
When I started researching FAT structures, I thought that FAT12/16/32 file systems are well-documented and nothing new can be discovered. There are specifications from Microsoft (DOC), ECMA (PDF), and an extremely informative article on Wikipedia. But there two important things worth mentioning… First, starting from Windows 10 “Redstone 1”, EFS-based encryption is supported for FAT volumes. This feature is thoroughly described in US10726147B2. Encrypted files have the “.PFILE” extension and their 8.3 directory entries store additional metadata. In the current implementation, this metadata fits ..read more
Visit website
The uppercased hell
My DFIR Blog
by msuhanov
2y ago
Recently, Microsoft warned users about compatibility issues with applications using some non-ASCII characters in names of their registry keys. According to Microsoft: Compatibility issues have been found between apps using some non-ASCII characters in their registry keys or subkeys and Windows 11. Affected apps might be unable to open and might cause other issues or errors in Windows, including the possibility of receiving an error with a blue screen. Important Affected registry keys with non-ASCII characters might not be able to be repaired. Sounds interesting! Before we start, here ar ..read more
Visit website
Playing with case-insensitive file names
My DFIR Blog
by msuhanov
2y ago
Although NTFS has been designed with case-sensitivity in mind, it’s used mostly in the case-insensitive environment. One can natively store, within the same directory, two or more files with their names differing only in case, but Windows-based tools won’t deal with them correctly. To provide true case-sensitivity, Microsoft implemented an additional layer, per-directory case-sensitivity, as described here, here, and here. But there are several issues with usual, case-insensitive, operations… To implement a case-insensitive file system, one needs to compare two file names in a case-insensitive ..read more
Visit website

Follow My DFIR Blog on FeedSpot

Continue with Google
Continue with Apple
OR