Date: Wed, 4 Nov 1998 15:55:09 -0500 From: Krish Jagannathan To: BUGTRAQ@netspace.org Subject: FoolProof for PC Exploit I figured this much out -- if you are running on FoolProof for the PC (Win9x) and you boot up in safe mode (with or without network support) it will bypass the FoolProof TSR and enable full privileges, even deleting the FoolProof directory. --- Krish Jagannathan krisjag@juno.com YCHJCYADTKCF ___________________________________________________________________ Date: Mon, 9 Nov 1998 15:48:36 -0500 From: Erik Soroka To: BUGTRAQ@netspace.org Subject: Re: FoolProof for PC Exploit On Wed, 4 Nov 1998 15:55:09 -0500, Krish Jagannathan wrote: >I figured this much out -- if you are running on FoolProof for the PC >(Win9x) and you boot up in safe mode (with or without network support) it >will bypass the FoolProof TSR and enable full privileges, even deleting >the FoolProof directory. Another point of reference dealing with this program (and a much cleaner approach) -- FoolProof for Windows 9x stores the administrator password in plaintext in the Windows Swap file. All you have to do is boot up into safe mode (as mentioned above), copy the swap file to a temporary filename, reboot into windows and use a hex editor to search the swapfile for the string, "FOOLPROO" and right after will be the actual password. foolproof - adj. (1) "so simple, plain, or reliable as to leave no opportunity for error, misuse, or failure..." The name of this "security" program doesn't seem to fit the numerous bugs and glitches it has -- however it is a neat program with some nice features that might come in handy on systems accessible to the public. Enjoy. ______________________________________________________________ Erik M. Soroka (NIC: ES2600) | Voice/Fax: 508.669.5208 KIREnet Communications Inc. | Page/Beep: 978.629.3322 Web: http://www.kirenet.com | E-Mail: erik@kirenet.com ______________________________________________________________ ___________________________________________________________________ Date: Mon, 9 Nov 1998 14:56:21 -0600 From: axon To: BUGTRAQ@netspace.org Subject: Re: FoolProof for PC Exploit This works for the macintosh as well. Holding down while booting bypasses extensions. FoolProof for mac does not load, and ZAP! Away with foolproof (or just to temporarily get it out of your way... just because you can.) I'm not really a Macintosh guy, but when that's all you're given on campus through most of your highschool years, you'll learn to tinker. Also, if you use the resource editor to open up foolproof Macintosh, you can find a (poorly) encoded password. It's been 2 or 3 years, but I think it was derived from base 64 or something silly like that, but memory may serve me incorrectly. Play around. You may be able to find some registry goodies with FoolProof for Win95 (or if it doesn't do registry handling...you mentioned it's a TSR), maybe break out your hex editor on some configuration files. /|\ / /~\ |\ | / | \ / / \ | \ | /__| >< < > | \ | / | / \ \ / | \| -Editor-in-chief, Hackers Information Report E-Zine / // \ \_/ / / http://hir.home.ml.org "A Hacker of the Light..." ___________________________________________________________________ Date: Mon, 9 Nov 1998 13:04:52 -0800 From: Darren Rogers To: BUGTRAQ@netspace.org Subject: Re: FoolProof for PC Exploit Actually, this works for pretty much any Win9x 'security' add-on. If the startup menu is disabled (most add-on hacks let you do this without the text file editing normally required) , a well timed flick of the power switch will enable you to start in safe mode. DJ >>> Krish Jagannathan 11/04 12:55 PM >>> I figured this much out -- if you are running on FoolProof for the PC (Win9x) and you boot up in safe mode (with or without network support) it will bypass the FoolProof TSR and enable full privileges, even deleting the FoolProof directory. --- Krish Jagannathan krisjag@juno.com YCHJCYADTKCF ___________________________________________________________________ Date: Mon, 9 Nov 1998 13:04:53 -0800 From: The Tree of Life To: BUGTRAQ@netspace.org Subject: Re: FoolProof for PC Exploit This is true for some cases, but the latest FoolProof allows a option that will prompt for a password if someone presses F5 or F8 at bootup. It will then allow you unlimited tries, but you can't resume normal bootup unless you reboot. FoolProof also doesn't protect the 'Press Del to enter Setup' at bootup, so you can reset the boot sector to default (this works on some models where it resets the boot sector to factory default), which I think bypasses the F5 thing. Before that happens though, the boot sector has to be in memory already (the old one), so that the system can replace the new one with the old one. Oh, I've seen a QB program where it records keystrokes, even ctrl and shift. Since FoolProof doesn't allow people to run programs externally, but could open up a text file, just load the .bas file in QB.EXE and maybe if someone could get it to run in low priority (background process), it could capture the hotkey. another thing is that i *think* it is possible (i'll try it tomorrow in school) is to copy command.com onto a disk, rename it to temp.txt, and load it in wordpad. then save it as c:\windows\help\wordpad.hlp (answer no when it asks you to convert it), and go to help and you'll be dropped to dos. I hope that helps. btw: That gay jester at startup sucks..it's very annoying :) -t .--------------------------------------------------------------------------. |The Media and the Monster: Which is the Creator and which is the creation?| |--------------------------------------------------------------------------| | System Administrator/DNS Network Administrator/Keeper of Gods | |Kalifornia.com (c)1998 | ttol@stuph.org | http://www.ttol.stuph.org| `--------------------------------------------------------------------------' ___________________________________________________________________ Date: Mon, 9 Nov 1998 20:23:07 -0800 From: William Tiemann To: BUGTRAQ@netspace.org Subject: Re: FoolProof for PC Exploit On Wed, 4 Nov 1998, Krish Jagannathan wrote: >I figured this much out -- if you are running on FoolProof for the PC >(Win9x) and you boot up in safe mode (with or without network support) it >will bypass the FoolProof TSR and enable full privileges, even deleting >the FoolProof directory. >--- >Krish Jagannathan >krisjag@juno.com >YCHJCYADTKCF This may be true(infact it is true) but is a sign that your administrator forgot or did not know about F8. This was the case at a school i know that just setup FoolProof, forgot F8, and diskette booting, but that was negligence. So here is another problem in foolproof Bug/flaw: A bug that for all intensive purposes is a bug. If you can execute 'echo' with 4 command line arguments you can disable (esentially delete) foolproof. Implication: Disable _protection_ (if you can call it that) from FoolProof. Exploit: echo Hi > c:\fool95\fooltsr.exe Do this with every file in the foolproof dir (The install directory may vary). Fix: Run a UN*X os instead of a Microsft product? Seriously though, I have not looked into side effects(or if even possible) to disable 'echo', so making all files in the foolproof dir (and elsewere through out the computer, have not looked for them all) read only so you _cant_ write to them, but also disable attrib changes. -- Max Inux Hey Christy!!! KeyID 0x8907E9E5 Kinky Sex makes the world go round O R Strong crypto makes the world safe If crypto is outlawed only outlaws will have crypto Fingerprint(Photo Also): 259D 59F7 D98C CD73 1ACD 54Ea 6C43 4877 8907 E9E5 ___________________________________________________________________ Date: Tue, 10 Nov 1998 22:31:43 GMT From: pcsupport , pcsupport@smartstuff.com To: BUGTRAQ@netspace.org Subject: Re: FoolProof for PC Exploit Michael, We are prefectly aware that on older versions of FP the password is visible with a hex editor. But since any school would be foolish to allow such programs to run in the first place, the issue is a dead end 99.9% of the time. This is not military style, espionage-level security - it is for public workstations with restricted purposes and limited applications. As you indicated, typical computers are exceedingly simple to understand and horse around with. We agree, and appreciate that most high schoolers can easily grasp what is required to operate and even program computers. This should not be surprising to anyone. That being said, the point of security for most schools is one of convenience and very casual play with the machines by students. FoolProof can be configured to be very hard to break indeed, but some schools simply do not want to configure it in that fashion - and they may well be right if they know thier students well. Don't worry - more encryption and more features are always in the works. Take care, SmartStuff Software Technical Support 800-671-3999 Michael Ballbach,ballbach@lorien.ml.org writes: [ I'm cc'ing smartstuff, maybe this time they'll hear us. Smartstuff, feel free to contact me for more information on what I know. The following refers to foolproof v1 - v3, on a mac. ] Holding shift to bypass foolproof on a mac is ineffective if you enable the disable foolproof bypass on extension bypass option or however it's phrased in there. The password is not base64 encoded, and depending on the version there are various (very poor) methods of trying to obscure it, in the preference files for versions prior to 3, the password sticks out like a sore thumb, and with versions 3+ it's a tad more obscure, but the method of encryption has not changed. I broke the encryption my freshmen year in high school and it took about an hour with a piece of paper and a hex editor, I didn't even use a calculator. The base conversions took the most time. (ok ok two pieces of paper) Perhaps these issues coming into the public will force smartstuff to do something about it, I've contacted them many times and they either ignore me, or some guy that has no clue what's happening replies and blows me off. I'd publish the encryption details but doing so would compromise the security of thousands of machines (including the ones I used to run), and I don't think that's worth it... (I think smartstuff would agree) It's a good program over all, but they really picked a very poor method of encryption for a program that's supposed to protect machines at educational institutions... christ I'm a high school drop out and it wasn't a challenge for me.