Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormFrost BytePACKETSTORM:17552
HistoryApr 12, 2000 - 12:00 a.m.

Fortres4-analysis.txt

2000-04-1200:00:00
Frost Byte
packetstormsecurity.com
20
JSON
`Fortres 4.0, An Overview.  
By: Frost_Byte [S/I]  
Date: April 11, 2000  
-----------------------------  
  
Introduction:  
  
This is my first formal document, so please excuse the crudity of the  
wording and grammar.  
  
<disclaimer> This document is soley for the purpose of informing  
individuals of a flaw within a program herin explained. By no means is  
this to deface or harm the company in any way, but to rather initiate  
further work to create a much more secure program. People should be  
held accountable for their own actions, and this is only a descriptive  
document. </disclaimer>  
  
-----------------------------  
  
Program Description (a brief look):  
  
Fortres is a program used to secure the Shell of a Windows based system.  
The program has since it's initial release into a widely used security  
medium. Schools, librarys, and other such institutions use it as a means  
of stopping problems before they start. (Personally, I think that if it  
were properly configured..to allow access throughout the system but to  
not allow modifications, the average user would not even know of it's  
presence and it would be a much more effective tool. One of the major  
problems is that when people are first associated with Windows, they  
associate the "Start" button with [as the little arrow says in Windows]  
"begin by clicking here". Most users feel very ill t'wards the software  
simply because they cannot use the "Start" button). The program initially  
loads from within the Autoexec.bat by executing "FGSA.EXE" which loads  
the "fgcfs.386" Virtual Device Driver info memory (allowing Fortres to  
operate throught Windows without losing priority). FGSA.EXE contains  
a flaw in which when a password is entered (a prompt is produced when  
both Shift keys are pressed when FGSA executes), even if an incorrect  
password is typed the correct password is left in memory, in plaintext.  
After Windows has begun, Fortres.exe is executed and the "protecting"  
has begun. Fortres.exe (in 4.0) is merely a loader for the file  
"FGCNWRK.DLL". This Dynamic Link Library houses the password dialog, the  
actual "blocking" code restricting users, and several other Fortres-related  
features. If the DLL is unloaded, security is no longer instated. When  
Control-Shift-Escape is pressed, several things happen. First, a logo  
appears in the lower right of the screen. Then a dialog box appears with  
a 5 or so character number (if the Backdoor password feature is enabled).  
This number allows people whom have lost their passwords to call Fortres  
Tech Support and get the correct backdoor key. If the backdoor key is   
entered  
(either +(number) or -(number) ) and deemed valid, the Appmanager opens and  
you are prompted with "The password file is corrupt, enter a new password"   
even  
though you do not have to place in another password. If the person enters  
the actual password, the appmgr.set and appmgr.net files are opened,   
decoded,  
and the passwords are compared. Finally, a commonly used option is where  
clicking upon the "Start" button brings up a dialog to shutdown the   
computer.  
  
  
-----------------------------  
  
Flaw Explination:  
  
The flaw is simply the fact that the encoding method that is used is weak  
and not hidden very well. Anyone can rip assembly code but I feel it is  
best to understand exactly what the program is doing and "put it in your  
own words". To illustrate this point, I have included the decoding routine  
as not assembly, but rather Quick Basic code. I simply hope that FGC  
puts more effort into their encoding methods. (the Backdoor numberics  
is a rather good routine simply because of my lack of knowledge with  
floating point operations. Granted, I could simply rip out the code,  
but I'm not trying to get my name out and harm FGC, I just continue  
learning as time progresses, and hope that by releasing this and anything  
further that the company makes further efforts for protection and  
that people continue learning and analysing products with great  
attention to detail.  
  
-----------------------------  
  
Closing Arguments:  
  
Enclosed is the source code in which can be used to decode Fortres 4.0  
passwords. The only real flaw with the code is the Password length (as  
it stands, it decodes characters until either 25 characters have been  
decoded or the ASCII of the character >= 128 or <=13). I have this code  
for quite some time, thought I haven't worked on it for about 4 months now.  
I simply assumed that I'd release it seeing as how if I don't someone  
else will.  
  
(I started working on the Backdoor Numberic password(s) awhile back but   
stopped.  
I'll probly start back on it when I'm not working on anything else. I have  
the code that generates the code, but I'm having alittle difficulty on the  
Floating Point operands. When I get it all worked out, I'll come up with  
a pen-to-paper shortcut). I would like to conclude by stating that I applied  
to FGC to Beta test their MasterLock program. Therein seems to reside a  
terrible concept of putting absolutely all of your personal information  
into a/some file(s)...apparently not considering the probability that it   
could  
be compromised. If I did obtain a Beta, I would have tried to circumvent   
that flaw and  
I would have promptly notified them. They didn't allow me to Beta test,   
however, and  
I shall simply say that it was quite a disappointment.  
  
----------------------------------------  
  
The Source:  
  
Here is the sourcecode. It isn't really documented, but who doesn't  
know BASIC? I have dubbed this code "Project Ashley" (for various  
reasons)...and I hope by reading this document you have carried away  
some bit of information that will come in handy in the future. After  
all, "Ashley" was quite a learning experience. "Ashley" is still one  
of the greatest things I've had a privlegde to take part in, and I  
wish it could be done again.  
  
--------------------------------------------------------------------------------------------------  
DC.BAS - QBasic Sourcecode (very easily changed to VB)  
--------------------------------------------------------------------------------------------------  
PRINT "Frost_Byte FGC4 Decoder..."  
IF COMMAND$ = "" THEN PRINT "You Must Specify a Filename": PRINT "(ex. 'dc   
appmgr.set')": END  
ON ERROR GOTO nono  
OPEN COMMAND$ FOR BINARY AS #1  
edx$ = "."  
edi$ = "."  
q = 5  
DO  
GET #1, q, edi$  
GET #1, 455 - a, edx$  
a = a + 1  
q = q + 18  
cx = (a - 1)  
ax = ASC(edi$)  
ax = (cx * 3) MOD 256  
ax = ax - ASC(edx$)  
IF ax < 0 THEN ax = 256 + ax  
ax = (ax + ASC(edi$)) MOD 256  
t = t + 1  
IF ax <= 13 THEN GOTO nada  
IF ax >= 128 THEN GOTO nada  
IF CHR$(ax) <> UCASE$(CHR$(ax)) THEN GOTO nada  
code$ = code$ + CHR$(ax)  
LOOP UNTIL t >= 25  
nada:  
PRINT "Your code is -> "; code$  
nono:  
END  
-----------------------------------------  
  
`
JSON