foolproof-PC.txt

1999-08-17T00:00:00
ID PACKETSTORM:15159
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 4 Nov 1998 15:55:09 -0500  
From: Krish Jagannathan <krisjag@JUNO.COM>  
To: BUGTRAQ@netspace.org  
Subject: FoolProof for PC Exploit  
  
I figured this much out -- if you are running on FoolProof for the PC  
(Win9x) and you boot up in safe mode (with or without network support) it  
will bypass the FoolProof TSR and enable full privileges, even deleting  
the FoolProof directory.  
---  
Krish Jagannathan  
krisjag@juno.com  
YCHJCYADTKCF  
  
___________________________________________________________________  
  
Date: Mon, 9 Nov 1998 15:48:36 -0500  
From: Erik Soroka <erik@kirenet.com>  
To: BUGTRAQ@netspace.org  
Subject: Re: FoolProof for PC Exploit  
  
On Wed, 4 Nov 1998 15:55:09 -0500, Krish Jagannathan wrote:  
  
>I figured this much out -- if you are running on FoolProof for the PC  
>(Win9x) and you boot up in safe mode (with or without network support) it  
>will bypass the FoolProof TSR and enable full privileges, even deleting  
>the FoolProof directory.  
  
Another point of reference dealing with this program (and a much cleaner  
approach) -- FoolProof for Windows 9x stores the administrator password in  
plaintext in the Windows Swap file. All you have to do is boot up into safe  
mode (as mentioned above), copy the swap file to a temporary filename, reboot  
into windows and use a hex editor to search the swapfile for the string,  
"FOOLPROO" and right after will be the actual password.  
  
  
foolproof - adj. (1) "so simple, plain, or reliable as to leave no opportunity  
for error, misuse, or failure..."  
  
  
The name of this "security" program doesn't seem to fit the numerous bugs and  
glitches it has -- however it is a neat program with some nice features that  
might come in handy on systems accessible to the public.  
  
Enjoy.  
  
  
  
  
______________________________________________________________  
  
Erik M. Soroka (NIC: ES2600) | Voice/Fax: 508.669.5208  
KIREnet Communications Inc. | Page/Beep: 978.629.3322  
Web: http://www.kirenet.com | E-Mail: erik@kirenet.com  
______________________________________________________________  
  
___________________________________________________________________  
  
Date: Mon, 9 Nov 1998 14:56:21 -0600  
From: axon <axon2017@STUDENTS.JOHNCO.CC.KS.US>  
To: BUGTRAQ@netspace.org  
Subject: Re: FoolProof for PC Exploit  
  
<See Original Message Below>  
  
This works for the macintosh as well. Holding <SHIFT> down while booting  
bypasses extensions. FoolProof for mac does not load, and ZAP! Away  
with foolproof (or just to temporarily get it out of your way... just  
because you can.) I'm not really a Macintosh guy, but when that's all  
you're given on campus through most of your highschool years, you'll  
learn to tinker. Also, if you use the resource editor to open up  
foolproof Macintosh, you can find a (poorly) encoded password. It's  
been 2 or 3 years, but I think it was derived from base 64 or something  
silly like that, but memory may serve me incorrectly. Play around. You  
may be able to find some registry goodies with FoolProof for Win95 (or if  
it doesn't do registry handling...you mentioned it's a TSR), maybe break  
out your hex editor on some configuration files.  
  
/|\ / /~\ |\ |  
/ | \ / / \ | \ |  
/__| >< < > | \ |  
/ | / \ \ / | \| -Editor-in-chief, Hackers Information Report E-Zine  
/ // \ \_/ / / http://hir.home.ml.org  
"A Hacker of the Light..."  
  
___________________________________________________________________  
  
Date: Mon, 9 Nov 1998 13:04:52 -0800  
From: Darren Rogers <DROGERS@CI.SIMI-VALLEY.CA.US>  
To: BUGTRAQ@netspace.org  
Subject: Re: FoolProof for PC Exploit  
  
Actually, this works for pretty much any Win9x 'security' add-on. If the startup menu is disabled (most add-on hacks let you do this  
without the text file editing normally required) , a well timed flick of the power switch will enable you to start in safe mode.  
DJ  
  
>>> Krish Jagannathan <krisjag@JUNO.COM> 11/04 12:55 PM >>>  
I figured this much out -- if you are running on FoolProof for the PC  
(Win9x) and you boot up in safe mode (with or without network support) it  
will bypass the FoolProof TSR and enable full privileges, even deleting  
the FoolProof directory.  
---  
Krish Jagannathan  
krisjag@juno.com  
YCHJCYADTKCF  
___________________________________________________________________  
  
Date: Mon, 9 Nov 1998 13:04:53 -0800  
From: The Tree of Life <ttol@STUPH.ORG>  
To: BUGTRAQ@netspace.org  
Subject: Re: FoolProof for PC Exploit  
  
This is true for some cases, but the latest FoolProof allows a option that  
will prompt for a password if someone presses F5 or F8 at bootup. It will  
then allow you unlimited tries, but you can't resume normal bootup unless  
you reboot. FoolProof also doesn't protect the 'Press Del to enter Setup'  
at bootup, so you can reset the boot sector to default (this works on some  
models where it resets the boot sector to factory default), which I think  
bypasses the F5 thing. Before that happens though, the boot sector has to  
be in memory already (the old one), so that the system can replace the new  
one with the old one.  
  
Oh, I've seen a QB program where it records keystrokes, even ctrl and  
shift. Since FoolProof doesn't allow people to run programs externally,  
but could open up a text file, just load the .bas file in QB.EXE and maybe  
if someone could get it to run in low priority (background process), it  
could capture the hotkey.  
  
another thing is that i *think* it is possible (i'll try it tomorrow in  
school) is to copy command.com onto a disk, rename it to temp.txt, and  
load it in wordpad. then save it as c:\windows\help\wordpad.hlp (answer  
no when it asks you to convert it), and go to help and you'll be dropped  
to dos.  
  
I hope that helps.  
  
btw: That gay jester at startup sucks..it's very annoying :)  
  
-t  
  
.--------------------------------------------------------------------------.  
|The Media and the Monster: Which is the Creator and which is the creation?|  
|--------------------------------------------------------------------------|  
| System Administrator/DNS Network Administrator/Keeper of Gods |  
|Kalifornia.com (c)1998 | ttol@stuph.org | http://www.ttol.stuph.org|  
`--------------------------------------------------------------------------'  
  
___________________________________________________________________  
  
Date: Mon, 9 Nov 1998 20:23:07 -0800  
From: William Tiemann <maxinux@BIGFOOT.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: FoolProof for PC Exploit  
  
On Wed, 4 Nov 1998, Krish Jagannathan wrote:  
  
>I figured this much out -- if you are running on FoolProof for the PC  
>(Win9x) and you boot up in safe mode (with or without network support) it  
>will bypass the FoolProof TSR and enable full privileges, even deleting  
>the FoolProof directory.  
>---  
>Krish Jagannathan  
>krisjag@juno.com  
>YCHJCYADTKCF  
  
This may be true(infact it is true) but is a sign that your administrator  
forgot or did not know about F8. This was the case at a school i know  
that just setup FoolProof, forgot F8, and diskette booting, but that was  
negligence.  
So here is another problem in foolproof  
  
Bug/flaw:  
  
A bug that for all intensive purposes is a bug. If you can execute 'echo'  
with 4 command line arguments you can disable (esentially delete)  
foolproof.  
  
Implication:  
  
Disable _protection_ (if you can call it that) from FoolProof.  
  
Exploit:  
echo Hi > c:\fool95\fooltsr.exe  
Do this with every file in the foolproof dir (The install directory may  
vary).  
  
Fix:  
  
Run a UN*X os instead of a Microsft product?  
Seriously though, I have not looked into side effects(or if even possible)  
to disable 'echo', so making all files in the foolproof dir (and elsewere  
through out the computer, have not looked for them all) read only so you  
_cant_ write to them, but also disable attrib changes.  
  
  
  
  
  
-- Max Inux <maxinux@openpgp.net> Hey Christy!!! KeyID 0x8907E9E5  
Kinky Sex makes the world go round O R Strong crypto makes the world safe  
If crypto is outlawed only outlaws will have crypto  
Fingerprint(Photo Also): 259D 59F7 D98C CD73 1ACD 54Ea 6C43 4877 8907 E9E5  
  
___________________________________________________________________  
  
Date: Tue, 10 Nov 1998 22:31:43 GMT  
From: pcsupport <pcsupport@smartstuff.com>, pcsupport@smartstuff.com  
To: BUGTRAQ@netspace.org  
Subject: Re: FoolProof for PC Exploit  
  
Michael,  
  
We are prefectly aware that on older versions of FP the password is visible  
with a hex editor. But since any school would be foolish to allow such  
programs to run in the first place, the issue is a dead end 99.9% of the  
time. This is not military style, espionage-level security - it is for public  
workstations with restricted purposes and limited applications.  
  
As you indicated, typical computers are exceedingly simple to understand and  
horse around with. We agree, and appreciate that most high schoolers can  
easily grasp what is required to operate and even program computers. This  
should not be surprising to anyone.  
  
That being said, the point of security for most schools is one of convenience  
and very casual play with the machines by students. FoolProof can be  
configured to be very hard to break indeed, but some schools simply do not  
want to configure it in that fashion - and they may well be right if they  
know thier students well.  
  
Don't worry - more encryption and more features are always in the works. Take  
care,  
  
SmartStuff Software Technical Support  
800-671-3999  
  
  
Michael Ballbach,ballbach@lorien.ml.org writes:  
[ I'm cc'ing smartstuff, maybe this time they'll hear us. Smartstuff, feel  
free to contact me for more information on what I know. The following  
refers to foolproof v1 - v3, on a mac. ]  
  
Holding shift to bypass foolproof on a mac is ineffective if you enable  
the disable foolproof bypass on extension bypass option or however it's  
phrased in there.  
  
The password is not base64 encoded, and depending on the version there are  
various (very poor) methods of trying to obscure it, in the preference  
files for versions prior to 3, the password sticks out like a sore thumb,  
and with versions 3+ it's a tad more obscure, but the method of encryption  
has not changed.  
  
I broke the encryption my freshmen year in high school and it took about  
an hour with a piece of paper and a hex editor, I didn't even use a  
calculator. The base conversions took the most time. (ok ok two pieces of  
paper)  
  
Perhaps these issues coming into the public will force smartstuff to do  
something about it, I've contacted them many times and they either ignore  
me, or some guy that has no clue what's happening replies and blows me  
off.  
  
I'd publish the encryption details but doing so would compromise the  
security of thousands of machines (including the ones I used to run), and  
I don't think that's worth it... (I think smartstuff would agree) It's a  
good program over all, but they really picked a very poor method of  
encryption for a program that's supposed to protect machines at  
educational institutions... christ I'm a high school drop out and it  
wasn't a challenge for me.  
  
`