Vulnerability

    FoolProof

Affected

    Win 3.x, Win95

Description

    'Mark  M.   Marko'  has   found  a   weakness  in   the   password
    impelementation of  FoolProof.   FoolProof is  a software  package
    used to secure workstations and  LAN client machines from DoS  and
    other lame-ass attacks  by protecting system  files (autoexec.bat,
    config.sys,  system  registry)  and  blocking  access to specified
    commands and control panels.  FoolProof was written by Smart Stuff
    software originally  for the  Macintosh but  recently released for
    win3.x  and  win95.   All  information  here  pertains directly to
    versions 3.0 and 3.3  of both the 3.x  and 95 versions but  should
    be good for all early versions if they exist.

    This program is capable of  modifying the boot sequence on  win3.x
    machines  to  block  the  use  of  hot keys and prevent users from
    breaking  out  of  autoexec.   It  also  modifies  the behavior of
    command.com so  that commands  can be  verified by  a database and
    anything  deemed  unesseccary  or  potentially  malicious  can  be
    blocked  (fdisk,  format,  dosshell?,  dir,  erase,  del.  defrag,
    chkdsk,  defrag,  undelete,  debug,  etc.).   Its  windows clients
    provide for  a way  to log  into/out of  FoolProof for  privilaged
    access  by  using  a  password  or  hot key assignment.  The newer
    instalation  of  95  machines  have  a  centralized  configuration
    database that lives on our NetWare server.

    First  success  with  breaking  FoolProof  passwords came by using
    a hex editor to scan the windows swap file for anything that might
    be of interested.  In the  swap file you can find the  password in
    plain text.  If  you use a memory  editor on the machine  you will
    find that FoolProof  stores a copy  of the user  password IN PLAIN
    TEXT inside its TSR's memory space.

    To find a FoolProof  password, simply search through  conventional
    memory for the string "FOOLPROO" (I don't know what they did  with
    that last "F")  and the next  128 bytes or  so should contain  two
    plaintext passwords followed by the hot-key assignment.  For  some
    reason FoolProof keeps two  passwords on the machine,  the present
    one and a 'legacy' password (the one you used before you _thought_
    it was changed).  There exist a few memory viewers/editors but  it
    isn't much effort to write something.

    It is  more difficult  to do  this on  the win3.x machines because
    FoolProof isn't compromised by the operating system it sits on top
    of; basicly getting a dos prompt is up to you (try file manager if
    you can).  95 is easier  because it is very simple to  convince 95
    that  it  should  start  up  into  Safe-Mode  and  then creating a
    shortcut in the  StartUp group to  your editor and  then rebooting
    the machine (FoolProof doesn't get a chance to load in safe mode).

    FoolProof also doesn't protect the  'Press Del to enter Setup'  at
    bootup, so you can reset the boot sector to default (this works on
    some models where it resets  the boot sector to factory  default),
    which I think bypasses the F5 thing.  Before that happens  though,
    the boot sector has to be in memory already (the old one), so that
    the system can replace the new one with the old one.

Solution

    This is  true for  some cases,  but the  latest FoolProof allows a
    option that will  prompt for a  password if someone  presses F5 or
    F8 at bootup.   It will then  allow you unlimited  tries, but  you
    can't resume normal bootup unless you reboot.