Foolproof stores cleartext passwords in memory

Summary
Description:Foolproof security can be completely subverted by using a meory dumper/editor and finding the password sitting their in plaintext right after the string FOOLPROO . Of course, I have never seen a system that CAN secure Win95. The true solution is to upgrade to a decent OS that doesn't allow unprivileged users full access to the disk/memory/etc. I humbly suggest Linux, FreeBSD, OpenBSD, or Solaris.
Author:Mark M Marko <john__wayne@JUNO.COM>
Compromise:Break into Win95 machines protected by Foolproof.
Vulnerable Systems:Anyone relying on Foolproof for security on systems where users can manage to execute arbitrary commands (very difficult to prevent).
Date:21 February 1998
Details


Date: Sat, 21 Feb 1998 22:58:42 EST
From: Mark M Marko <john__wayne@JUNO.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: FoolProof Insecurities

Howdy,

        I have found a weakness in the password impelementation of
FoolProof.  FoolProof is a software package used to secure workstations
and LAN client machines from DoS and other lame-ass attacks by protecting
system files (autoexec.bat, config.sys, system registry) and blocking
access to specified commands and control panels.  FoolProof was written
by Smart Stuff software originally for the Macintosh but recently
released for win3.x and win95.  All my information pertains directly to
versions 3.0 and 3.3 of both the 3.x and 95 versions but should be good
for all early versions if they exist.

        Since my high school bought a sight licence I have spent some
time playing with it.  It is capable of modifying the boot sequence on
win3.x machines to block the use of hot keys and prevent users from
breaking out of autoexec.  It also modifies the behavior of command.com
so that commands can be verified by a database and anything deemed
unesseccary or potentially malicious can be blocked (fdisk, format,
dosshell?, dir, erase, del. defrag, chkdsk, defrag, undelete, debug,
etc.).  Its windows clients provide for a way to log into/out of
FoolProof for privilaged access by using a password or hot key
assignment.  The newer instalation of 95 machines have a centralized
configuration database that lives on our NetWare server.

        My first success with breaking FoolProof passwords came by using
a hex editor to scan the windows swap file for anything that might be of
interested.  In the swap file I found the password in plain text.  I was
surprised but thought that it was something that would be simply
unavoidable and unpredictable.  Later though I used a memory editor on
the machine (95 loves it when I do that) and found that FoolProof stores
a copy of the user password IN PLAIN TEXT inside its TSR's memory space.

        To find a FoolProof password, simply search through conventional
memory for the string "FOOLPROO" (I don't knowwhat they did with that
last "F") and the next 128 bytes or so should contain two plaintext
passwords followed by the hot-key assignment.  For some reason FoolProof
keeps two passwords on the machine, the present one and a 'legacy'
password (the one you used before you _thought_ it was changed).  There
exist a few memory viewers/editors but it isn't much effort to write
something.

        Getting to a point where you can execute something can be
difficult but isn't impossible.  I found that it is more difficult to do
this on the win3.x machines because FoolProof isn't compromised by the
operating system it sits on top of; basicly getting a dos prompt is up to
you (try file manager if you can).  95 is easier because it is very
simple to convince 95 that it should start up into Safe-Mode and then
creating a shortcut in the StartUp group to your editor and then
rebooting the machine (FoolProof doesn't get a chance to load in safe
mode).

        I tried to talk to someone at SmartStuff but they don't seem to
care what trouble their simple minded users might get into.  They told me
I must be wrong because they use 128 bit encryption on the disk.
Apparently they don't even know how their own software works because the
utility they provide to recover lost passwords requires some 32+
character master password that is hardwired into each installation.

JohnWayne

_____________________________________________________________________
You don't need to buy Internet access to use free Internet e-mail.
Get completely free e-mail from Juno at http://www.juno.com
Or call Juno at (800) 654-JUNO [654-5866]

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault