
Newly found TrueCrypt flaws - aburan28
http://www.itworld.com/article/2987438/newly-found-truecrypt-flaw-allows-full-system-compromise.html
======
striking
...which is why you should be using VeraCrypt
([https://veracrypt.codeplex.com/](https://veracrypt.codeplex.com/), the
actively-developed fork of Truecrypt)

~~~
jordigh
Hm, how did they fork and change the license? Or are they just hoping the
TrueCrypt authors never attempt to enforce their license?

~~~
imaginenore
If TrueCrypt authors are anonymous, can they even claim that they own that
codebase?

~~~
mapt
In theory? Sure.

In actual legal practice? Probably not if they want to retain anonymity.

~~~
DannyBee
False. See below. Even if they wanted to enforce copyright, they can register
as a pseudonym. They can also enforce in court under a pseudonym, as long as
they can prove it's the same person with the registration.

Which may be tricky.

~~~
SEJeff
In the US Legal System, an accuser has to face the defendent. Not sure how
they can do that and remain anonymous.

~~~
DannyBee
That's criminal, and something afforded to defendants.

In the civil system, which is where copyright resides, you can simply be
represented by counsel and never appear at all :)

This happens all the time.

~~~
SEJeff
touche!

------
ejcx
Just to let people know. I did some digging into this yesterday

Here are the pull requests that fix the bugs.

    
    
        https://veracrypt.codeplex.com/SourceControl/changeset/cf4794372e5dea753b6310f1ca6912c6bfa86d45
        https://veracrypt.codeplex.com/SourceControl/changeset/0d9239178bab3332d0f9c911de89f6f80b65d2d1
    

The first version of truecrypt that is vulnerable to the accessToken bug was
6.1a, which is roughly 4 years ago. I didn't look into the other bug
though....4 years was enough for me....

If you want to do the digging into release dates, I would check this repo.
This was the only archive of truecrypt code I could find.
[https://github.com/DrWhax/truecrypt-
archive](https://github.com/DrWhax/truecrypt-archive)

If you ask me, a much more serious bug would be going from an encrypted hard
drive to an unencrypted hard drive... Local Privilege Escalation is definitely
a bad bug, but it's not anywhere as bad as it could be.

~~~
chdir
> This was the only archive of truecrypt code I could find

There'a also [https://github.com/AuditProject/truecrypt-verified-
mirror](https://github.com/AuditProject/truecrypt-verified-mirror) (maintained
by opencryptoaudit.org)

------
devit
This is just the Windows driver enabling local privilege escalation.

~~~
patrickmn
"just"

~~~
forgotpasswd3x
From the title, I assumed it allowed disk decryption.

~~~
wyldfire
Agreed, that would've been much worse.

------
orf
Here are the commits that fixes the issues in VeraCrypt (a fork of TrueCrypt):
[https://veracrypt.codeplex.com/SourceControl/changeset/cf479...](https://veracrypt.codeplex.com/SourceControl/changeset/cf4794372e5dea753b6310f1ca6912c6bfa86d45)
and
[https://veracrypt.codeplex.com/SourceControl/changeset/0d923...](https://veracrypt.codeplex.com/SourceControl/changeset/0d9239178bab3332d0f9c911de89f6f80b65d2d1)

They are lot shorter that I expected

------
okasaki
Only on Windows? If so, it should be in the title.

~~~
ticktocktick
Every instance of this story omits the 'Windows only' part. It is sort of
pertinent.

------
soggypretzels
Can someone explain why this is not just something that Microsoft should patch
in windows? i.e how is this not just a windows vulnerability that you can use
TrueCrypt to take advantage of? Why are drivers able to escalate privilege at
all?

~~~
TillE
A driver is kernel-mode code that's written in C. It can do just about
anything, and when there's a bug, you're in trouble.

I'd like to see Microsoft allow more drivers to run in user-mode, but this is
just the risk you take when installing drivers. Microsoft has been tightening
driver signing requirements, so you can at least be sure they're from a known
source.

------
lovemetender
You can set a program on Windows 10 so that all users must be an administrator
to run, not sure about past Windows OS versions but probably.

~~~
jlgaddis
You could technically do that using NTFS permissions.

------
leppie
Let me guess, this has something to do with SUBST.

~~~
wyldfire
Wow, I hope you're joking but I can't quite tell. :/

------
cgtyoder
So much for that great "audit" of the code.

~~~
lawnchair_larry
I've seen this a lot in response to this bug.

I did not realize how poorly the general "tech savvy" public apparently
misunderstands software security.

Auditing is closer to an art than a science. For any real software, no two
auditors will find the same set of bugs.

Think of it as similar to QA. If you write some complex software from scratch,
and give it to 1 tester to do one pass on it, do you expect every bug was
found and fixed?

Like security audits, you'll still be finding bugs for years, or in some cases
even decades, that were sitting there all along.

------
randyrand
Local machine privilege escalation and "full system compromise" are SOOOOOO
vastly not of the same magnitude at all. This click bait title is obnoxious.

I don't even _have_ non privileged users on my windows machine. Most end users
don't. This could only really matter in some corporate environments but even
my windows machine at work has full admin privileges.

~~~
drzaiusapelord
Well, who is the target? Corporate and government customers are obviously
important especially when we consider the various cyberwars going on and how
much private and trusted data these companies have on us. Priv escalations are
scary in my world. In the world of grandma's vacation photos? Not so much.

This is a major, major vulnerability, no doubt about it. Shame TC has a hackey
Windows driver to make its pseudo-drive features work. Anything that installs
a driver is dangerous in the world of Windows as it has high level
permissions. I imagine organizations with strong security policies wouldn't
run this and instead just run some PGP variant that doesn't use any customized
Windows drivers.

>I don't even have non privileged users on my windows machine.

Technically, you do if you have the UAC enabled. You're only really an admin
after UAC runs, at least in most cases. From what I'm reading this should work
around he UAC if the driver is running at SYSTEM level.

~~~
randyrand
>Technically, you do if you have the UAC enabled.

Interesting. Makes sense.

