| by mSec [www.msec.net] April 20th 2001 Introduction DiskGuard is a security program by Highware Inc, the same company that makes FileGuard. mSec has previously written an advisory on security breaches in FileGuard. Unfortunately Highware has not taken notice of these holes since later versions of FileGuard contain the same breaches. As a matter of fact, DiskGuard also contains similar holes. DiskGuard can be used to password protect Hard Drives and removable storage medias. It also has other security features such as access limitation to certain folders, screen locking etc. It has a simple user interface and may be able to provide low levels of protection for some users. It should, however, under no circumstances be used to protect ”sensitive” information. The Details First of all, the security breaches pointed out in our previous advisory regarding FileGuard and EmergencyRemove still exist. EmergencyRemove is an application provided by Highware to remove the driver protection in case the administrator can not access the Hard Drive in any other way. It requires the administrators password to remove the protection. By changing one command in the application, however, EmergencyRemove can be altered in such a way that it accepts any password as the administrators password, thus allowing anyone to remove the password protection from any protected drive. The second security breach in DiskGuard is that it uses an extremely weak algorithm to encrypt the administrators password. The administrators and the alternative users’s password are stored in an invisible file called SYSTEM VITAL in the root folder of the drive. The passwords are encrypted but the method is extremely weak. Thus, once the encrypted password is found, it can easily be decrypted. To demonstrate this last breach mSec has put together a small application called DiskOffGuard 1.0 that enables anyone with access to the computer to decrypt the administrators password. It can be downloaded from www.msec.net Notice Unfortunately there is no way to protect a computer from these attacks other than not using software written by Highware. It seems like a modified version of EmergencyRemove can be used to remove Hard Drive protection regardless which Highware software it was protected with. This is of course a very serious problem and the only way around it is not to use software developed by Highware to protect sensitive information. That is until they have managed to fix these breaches. However, since they haven't taken measures to close the security holes pointed out by mSec’s over two years ago, it is very unlikely that they will now either. Disclaimer The above described security breaches are very real and may be exploited for "damaging" purposes. The objective of this advisory was NOT to encourage such behavior but simply to point out the existing security holes of DiskGuard 1.9 . Therefore, neither mSec nor any of it's past, current or future members will take any responsibility for any kind of damage that may occur of any direct or indirect use of the information provided. End Notes These security breaches were found by mSec. If you would like to learn more about mSec please visit our homepage at: http://www.msec.net You can also e-mail us for more information at: support@msec.net Copyright © 1998-2001 mSec. All Rights Reserved. All trademarks remain the property of their respective holders. |
DiskGuard 1.9 Advisory
|
|
|
|
|
|