• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Deep Freeze In Deep Trouble

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Windows

View previous topic :: View next topic  
Author Message
superdude
Just Arrived
Just Arrived


Joined: 24 Oct 2005
Posts: 0


Offline

PostPosted: Mon Oct 24, 2005 6:50 am    Post subject: Deep Freeze In Deep Trouble Reply with quote

A black-hat computer programmer in Argentina with a grudge against Faronics, Emiliano Scavuzzo, has written a program to thaw Deep Freeze without knowing the password. It works on almost ALL versions of Deep Freeze, including the latest version, v5.60.120.1347, which recently came out (Oct-20-2005) to supposedly be immune to his program—it's not! You can use Deep Unfreezer to test for the vulnerability on your own machines:

Deep Freeze Unfreezer
http://usuarios.arnet.com.ar/fliamarconato/pages/edeepunfreezer.html

Method 1:

To perform the test you must first acquire DebugPrivileges (removed by Deep Freeze) by escalating to NT_AUTHORITY (the System account) using Task Scheduler from the command line:

1) at 11:23pm /interactive taskmgr.exe (add one or two minutes to the current time)
2) End Task explorer.exe
3) File / New Task (Run...) Enter explorer.exe to launch the explorer shell under the System account which has Debug Privileges
4) Run Deep Unfreezer from the System account.

Method 2:

OR, use ntrights.exe from the Windows Server 2003 Resource Kit, a free download, http://tinyurl.com/6p6cy, to grant yourself the SeDebugPrivilege.
Syntax: ntrights -u Users +r SeDebugPrivilege
If you use ntrights, you must logoff and logon again for the privilege to take effect.

Then run Deep Unfreezer, View Status, click on the Boot Thawed button, Save Status, and restart the machine. If the machine reboots in thawed mode, your version of Deep Freeze is vulnerable, and you should take measures to provide additional security on your machines.

Deep Freeze Evaluation versions are also vulnerable to this attack. Deep Freeze Evaluation versions can be taken off machines by an attacker by forwarding the system date past 60-days which will expire Deep Freeze, causing the computer to restart in thawed mode, allowing Deep Freeze to be uninstalled. If you're using an evaluation version of Deep Freeze, here's how to perform this test:

Method 1:

1) Switch to the System account, as described above
2) Double-click the time in the system tray
3) Forward the date past 60-days
4) Restart in thawed mode
5) Use DeepFreezeSTDEval.exe to uninstall Deep Freeze. Deep Freeze is not uninstalled through Add/Remove Programs. It is uninstalled with the installation file, and ONLY with the installation file. Yes, the same file is used to install and uninstall. If you don't have it, download it here. It's a free download:

Deep Freeze Evaluation -Trial Version - v5.60.120.1347
http://www.faronics.com/exe/DeepFreezeSTDEval.exe

Method 2:

Or, use ntrights.exe from the Windows Server 2003 Resource Kit to grant yourself the SeSystemtimePrivilege.
Syntax: ntrights -u Users +r SeSystemtimePrivilege
You must logoff and logon again for the new privilege to take effect.

Special Note:

Faronics came out with v5.60.120.1347 on 10-20-2005 as a response to Deep Unfreezer. It proved to be an impotent move. Emiliano's response to the new version? "rename frzstate2k.exe to anything else. Then attach to DF5Serve.exe instead". Does that work? Yes, it does. Thus, the newest version of Deep Freeze, intended to thwart Deep Unfreezer, continues to be vulnerable.

Deep Freeze protects over four million computers world-wide and over one million Macs (Yes, there's a Deep Freeze for Mac).

Most Deep Freeze installations around the world are vulnerable to this attack. At this time Faronics does not have a fix, nor an immune version. If you are a network administrator in charge of maintaining a network of machines protected by Deep Freeze, please be advised of this situation and be prepared.

One of the main issues is the fact that so many computers these days allow Administrator status. Even a lot of internet cafes use Windows XP Home edition, with the user logged in as Administrator. The developers at Faronics are committed, however, to protecting the machine even from Administrators! The problem with that is, as you know, whatever is taken away from an Administrator, the Administrator can give back to himself. So if, for example, Deep Freeze removes DebugPrivilges, users can simply grant it back to themselves.

Another issue is their commitment to non-restrictive use. Their commitment with Deep Freeze is to protect the machine non-restrictively. That has worked... until now. I think they may be forced at this point to admit Administrator accounts can't be guaranteed protection any longer. Unless they can secure these issues, I don't see any other way.
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Tue Oct 25, 2005 8:01 am    Post subject: Reply with quote

Interesting article, thanks for the information. I will have to try the suggested attacks against the lab I maintain. Didn't Faronics offer like a $25,000 reward for anyone who could crack their software at one point?
Back to top
View user's profile Send private message
superdude
Just Arrived
Just Arrived


Joined: 24 Oct 2005
Posts: 0


Offline

PostPosted: Tue Oct 25, 2005 8:11 am    Post subject: Reward Reply with quote

Yes, but not $25,000!

It was $500. They offered it at Educational Technology trade shows.

I heard that only two or three individuals in the history of the program ever claimed the prize.

When Deep Freeze first came out its main focus was Windows 9x. So, it was a lot easier then to claim the prize. Nowadays, it's a lot harder. But, as you know, vulnerabilities popup all the time. Stuff that was sitting there the whole time and nobody noticed. Then one day, somebody publishes it and gets famous. Not only with Deep Freeze, but with other programs too.

There are whole web sites devoted to discovered vulnerabilities.
Back to top
View user's profile Send private message
neobloodline
Lurker
Lurker


Joined: 28 Feb 2005
Posts: 11


Offline

PostPosted: Thu Oct 27, 2005 2:20 pm    Post subject: Reply with quote

Wow.. thanks for the info. I was unaware of this..
Back to top
View user's profile Send private message
Bannerd
Just Arrived
Just Arrived


Joined: 31 Dec 2004
Posts: 0


Offline

PostPosted: Tue Nov 15, 2005 7:56 pm    Post subject: Reply with quote

Deepfreeze has been getting hacked for years, I myself attended a college and it took me less than 25 minutes to break deepfreeze. I must have missed that reward Sad
Back to top
View user's profile Send private message
Wizzle
Just Arrived
Just Arrived


Joined: 15 Aug 2004
Posts: 0
Location: Caribbean

Offline

PostPosted: Tue Nov 15, 2005 11:30 pm    Post subject: Reply with quote

Has anyone ever cracked the Clean Slate from Fortres?
Back to top
View user's profile Send private message Visit poster's website AIM Address
Bannerd
Just Arrived
Just Arrived


Joined: 31 Dec 2004
Posts: 0


Offline

PostPosted: Fri Nov 18, 2005 5:23 pm    Post subject: Reply with quote

Yeah, here is what you do, boot a knoppix CD and deleted the main .exe file. If you can't boot to bios because it's locked. Pop open the case, remove the mobo battery and wait 15 seconds. Then put it back in. Boot from the cd and go. Sometimes colleges will soder the batery on the mobo. Bring a jumper with you, pop open the case and set the jump next to the battery. Start the machine and reboot it, will reset everything.

There are so many ways to hack these type of programs.

Another method is bootable linux floppy's. Boot the floppy in windows and you will have a holographic shell at you finger tips. From here you can kill any process. Or create a program with the same .exe name and execute it, windows will say an error has occured please end task. Then delete the .exe in the program folder reboot and presto. There are lots of methods to hack these apps. When you create the .exe make sure you have all the correct paths and run it on high priority.
Back to top
View user's profile Send private message
crashme
Just Arrived
Just Arrived


Joined: 18 Nov 2005
Posts: 0


Offline

PostPosted: Fri Nov 18, 2005 8:56 pm    Post subject: Reply with quote

The good news is that DeepFreeze is not the only option.
Back to top
View user's profile Send private message
Jphillips
Just Arrived
Just Arrived


Joined: 18 Nov 2005
Posts: 0
Location: Princeton, NJ

Offline

PostPosted: Sat Nov 19, 2005 5:07 am    Post subject: Since were talking about deep freeze Reply with quote

Since were talking about deep freeze...

I run the windows & mac clients at our local high school. I've been using deep freeze in the past, but it has become to much of a " broad sword". It dosen't let you manipulate the configuration enough. Example, i would like to be able to "thaw" the documents and settings folder, so that the clients would not have to continually reset miniscule options. (i.e. when you open word it ask for your name and initials) and so on. But with deep freeze it seems to be all or nothing.
I have read the stickey about the new crack for "thawing" the machine. It only makes me want to switch to something else more.
My only real need is to keep the "students" from making changes to the system and it's core configuration, but not to have the machine wiped every time it is rebooted.
I have been looking around for alternatives, Altiris makes a product called "Protect" which from what i've read is very similar.
My question is has anyone used Protect or anything similar, that may be able to fit my needs.

Thank you in advance
Back to top
View user's profile Send private message Send e-mail
crashme
Just Arrived
Just Arrived


Joined: 18 Nov 2005
Posts: 0


Offline

PostPosted: Sat Nov 19, 2005 10:36 pm    Post subject: Reply with quote

Those solutions may be expensive. Try a program called Recover Pro from Phoenix Technologies. It works great for me and is very scalable to most environments. There employees are always very helpful as well.

http://www.phoenix.com/en/Products/Trusted+Applications/Phoenix+FirstWare/FirstWare+Recover+Pro+2004/default.htm
Back to top
View user's profile Send private message
PSTUBb
Just Arrived
Just Arrived


Joined: 11 Nov 2005
Posts: 0


Offline

PostPosted: Fri Jun 09, 2006 12:06 am    Post subject: Reply with quote

Our school uses DeepFreeze (or some other program that basically does the same thing) but I haven't tried to do anything for fear there is a keylogger or something.

This might sound noobish if I'm wrong but couldn't I just use a process viewer like PrcView and kill the process, then use another program to list all startup programs and stop it from starting up?
Back to top
View user's profile Send private message
rubi
Just Arrived
Just Arrived


Joined: 24 Jul 2006
Posts: 0


Offline

PostPosted: Mon Jul 24, 2006 6:59 am    Post subject: Reply with quote

but this program can make a pc vulnerable just if the attacker has access to it, physic access I mean, or can be made also remotely, whithout being possible typing or working directly in it?

I have another question related to this program, I use deep freeze protecting C and Iīd need to know where the updates for windows are stored, and what are the files in which the changes are made, this way I can copy these folders, and can copy them later on

I donīt know if itīs right to put it in here, if not Iīll open a new topic,

thanks in advance, cheers Smile
Back to top
View user's profile Send private message
redhat123
Just Arrived
Just Arrived


Joined: 13 Oct 2006
Posts: 0


Offline

PostPosted: Fri Oct 13, 2006 1:12 pm    Post subject: Reply with quote

I am following the tutorial on how to unfreeze DeepFreeze from http://www.ethicalhacker.net/compone...9/topic,658.0/. I am very close to disabling it but I'm currently stuck at these steps:

Quote:
Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
In the text box enter the following value according to the Deep Freeze version you have installed and press OK.

VERSION/VALUE
4.20.020.0598 / 40368D
4.20.120.0598 / 40368D
4.20.121.0613 / 4034F5
5.20.220.1125 / 4037E9
5.30.120.1181 / 4037E9
The program will jump to the line of code.


My question is: What is the correct value for version 6.00.220.1523?

Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Windows All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register