Piriform CCleaner Wiped Filename Recovery

Vulnerability Details

Affected Vendor: Piriform
Affected Product: CCleaner
Affected Version: 3.26.0.1988 - 5.02.5101
Platform: Microsoft Windows 7 x64 Service Pack 1
CWE Classification: CWE-200: Information Exposure
Impact: Information Exposure
Attack vector: Local
CVE-ID: CVE-2015-3999

Vulnerability Description

The use of CCleaner is encountered at times during forensic
investigations of computer systems. It has a secure deletion
mode where it can overwrite data, filenames, and free
space. Overwriting files and filenames removes the chance to
recover the data and subject it to further analyses. Due to
how the software works, CCleaner will actually tell you the
names of files that it wiped.

Technical Description

Filenames are overwritten with the letter “Z” when CCleaner
is tasked to overwrite files. On an NTFS formatted drive,
the filename records in the Master File Table are replaced
with the letter “Z”. For example, a file named “TEST.TXT”
will have each character in the name overwritten with the
letter Z and will be renamed to “ZZZZ.ZZZ” after the process is
completed. For example, as CCleaner was executing, the filename
“TEST.TXT” was seen being written out to disk a few times,
followed by the pattern “ZZZZ.ZZZ”. The other filenames being
overwritten were handled in the same fashion. This pattern of
overwriting filesnames was found in the unallocated space of
the hard drive. The search results looked like this:

TEST.TXT
TEST.TXT
TEST.TXT
ZZZZ.ZZZ
ZZZZ.ZZZ
ZZZZ.ZZZ

TEST1.TXT
TEST1.TXT
TEST1.TXT
ZZZZZ.ZZZ
ZZZZZ.ZZZ
ZZZZZ.ZZZ

Once some original filenames are recovered, the analyst can
attempt to use that to locate other references, or fragments in
unallocated space, etc.

Mitigation and Remediation Recommendation

None

Credit

This vulnerability was discovered by Don Allison of KoreLogic
Security, Inc.

Disclosure Timeline

2015.02.18 - Initial contact; requested PGP key from Piriform.
2015.02.23 - Second contact attempt.
2015.02.25 - Piriform responds, asks for KoreLogic to submit
details to [email protected].
2015.03.02 - KoreLogic submits vulnerability report to Piriform.
2015.03.02 - Piriform confirms receipt of the report.
2015.04.22 - KoreLogic requests an update on the status of this
issue.
2015.05.04 - 45 business days have elapsed since Piriform
acknowledged receipt of the KoreLogic report.
2015.05.15 - KoreLogic requests CVE from Mitre.
2015.05.15 - Mitre issues CVE-2015-3999.
2015.05.18 - Public disclosure.

Proof of Concept

N/A