Written: 23rd May 1999
Last updated: 19th May 2001
This is a simple little program written in Delphi (v5.0, though you should be able to compile it on earlier versions). It demonstrates a fairly impressive security flaw in the basic operation of the ScramDisk application.
Normally, to mount a SVL file, the user performs the following steps:
The security flaw occurs between steps 2 and 3: at this time, the password is stored in the ScramDisk driver's cache in plaintext, and can be read easily by a covert "sniffer" program (i.e. a trivial program similar to this).
This flaw is due to GETPASSWORDBUFFER in the VxD, and appears even you enter your passwords using the RED screen; defeating the object of using this otherwise pretty neat feature.
This attack is effective under the Windows 9x/Me v2.02h and v3.xx versions of ScramDisk. The Windows NT/2000 versions of ScramDisk do not appear to be affected by this attack.
Download the demonstration executable with full source code
To demonstrate this vulnerability: run the compiled "sniffer" executable in this archive and click the "Automatic/Manual" button to turn on the automatic refresh. Next, follow the steps described above to mount a ScramDisk volume.
This software has been verified to correctly sniff passwords from ScramDisk v3, although you may have to set the interval to something small, like 1ms, and switch on automatic sniffing.
If you have ScramDisk v3 installed, manual sniffing will only be of any use after you have entered a set of passwords for a volume which did not then mount successfully (e.g. if you entered the wrong passwords for the volume)
Additional:
Scramdisk v3.xx has improved password handling, but is still vulnerable to this attack. In this version, between the time that the user enters their passwords, and the next volume is successfully mounted, the most recent set of passwords to be entered can be "sniffed" straight from the driver. This means that if the user incorrectly types in their password, then from that point up until the user enters the correct passwords and mounts a volume, the incorrect passwords can be sniffed. This may not sound particularly worrying, however if the incorrect passwords entered were, say, one charactor off (i.e. the user made a typo), an attacker will still have the vast majority of the real passwords, greatly reducing the security of the volume. If the user was to incorrectly types their passwords on several occasions, making slightly different typos each time, an attacker could trivially determine the correct passwords.
Working out the potential of this slight design problem is left as an excersise for the user; though it should be pretty obvious that it would be pretty trivial to:
Full source for the demonstration is enclosed. If you wish to compile the source code yourself, you will need to download a copy of the latest Delphi Components.
If you do want to compile your own version of this demonstration: download and install the original TkrScramDisk component and add it to your library path. Compile the modified component, and add that to your libary path. Finally you can compile the demonstration program.
This flaw still appears even you enter your passwords using the RED screen.
It should be noted that this software appears ineffective against the Windows NT/2000 versions of ScramDisk.
Thanks go to Aman for writing creating an otherwise fantasic program (ScramDisk) and Andy Jeffries at Kwik-Rite Development; who wrote the original Delphi ScramDisk component (TkrScramDisk), on which the OTFEScramDisk component was based
Email me at: sdean12@sdean12.org
Return to the Attacking OTFE; Known Security Flaws in Certain OTFE Systems page