j***@gmail.com
2005-10-25 16:55:40 UTC
A black-hat computer programmer in Argentina with a grudge against
Faronics, Emiliano Scavuzzo, has written a program to thaw Deep Freeze
without knowing the password. It works on almost ALL versions of Deep
Freeze, including the latest version, v5.60.120.1347, released
Oct-20-2005 to supposedly thwart his program-it does not! You can use
Deep Unfreezer to test for the vulnerability on your own machines:
(Disclaimer: this tutorial and information is provided as is, and is
intended for network administrators currently using Deep Freeze on
their networks, to provide them with up-to-date vulnerability
information on the inherent security flaws in the Deep Freeze program.
It is intended to be used for testing purposes only, and is not to be
construed as a "hacking tutorial on how to hack Deep Freeze". Author is
not responsible for abuse of this information. At the end of the
article are a couple of tips on how to secure your machines running
vulnerable Deep Freeze installations.)
Deep Freeze Unfreezer
http://usuarios.arnet.com.ar/fliamarconato/pages/edeepunfreezer.html
Method 1:
To perform the test you must first grant yourself the "Debug Programs"
privilege (revoked by Deep Freeze) by escalating to the Local System
account using Task Scheduler from the command line (Start/run, cmd):
1) Type: at 11:23pm /interactive taskmgr.exe (add one or two minutes
from the current time). [ENTER]
2) Once Task Manager launches, End Task explorer.exe
3) On the Task Manager menu, choose File / New Task (Run...), Type
explorer.exe to launch the explorer shell under the System account
which has Debug Privileges
4) Run Deep Unfreezer from the System account.
Or,
Method 2:
Use ntrights.exe from the Windows Server 2003 Resource Kit, a free
download, http://tinyurl.com/6p6cy, to grant yourself the
SeDebugPrivilege.
Syntax: ntrights -u Users +r SeDebugPrivilege
If you use ntrights, you must be the only user logged on, and you must
logoff and logon again before the privilege takes effect. [If desired,
you can use showpriv.exe, also from the Resouce Kit, to enumerate
SeDebugPrivilege privileges for users and groups after logging off and
logging on again to verify that the privilege has actually been granted
to your account.]
Then run Deep Unfreezer, View Status, click on the Boot Thawed button,
Save Status, and restart the machine. If the machine reboots in thawed
mode, your version of Deep Freeze is vulnerable, and you should take
measures to provide additional security on your machines.
Deep Freeze Evaluation versions are also vulnerable to this attack.
Deep Freeze Evaluation versions can be taken off machines by an
attacker by forwarding the system date past 60-days which will expire
Deep Freeze, causing the computer to restart in thawed mode, allowing
Deep Freeze to be uninstalled. If you're using an evaluation version of
Deep Freeze, here's how to perform this test:
Method 1:
1) Switch to the System account, as described above
2) Double-click the time in the system tray
3) Forward the date past 60-days
4) Restart in thawed mode
5) Use DeepFreezeSTDEval.exe to uninstall Deep Freeze. Deep Freeze is
not uninstalled through Add/Remove Programs. It is uninstalled with the
installation file, and ONLY with the installation file. Yes, the same
file is used to install and uninstall. If you don't have it, download
it here. It's a free download:
Deep Freeze Evaluation -Trial Version - v5.60.120.1347
http://www.faronics.com/exe/DeepFreezeSTDEval.exe
Or,
Method 2:
Use ntrights.exe from the Windows Server 2003 Resource Kit to grant
yourself the SeSystemtimePrivilege.
Syntax: ntrights -u Users +r SeSystemtimePrivilege
You must logoff and logon again for the new privilege to take effect.
Special Note:
Faronics came out with v5.60.120.1347 on 10-20-2005 as a response to
Deep Unfreezer. It proved to be an impotent move. Emiliano's response
to the new version? "rename frzstate2k.exe to anything else. Then
attach to DF5Serve.exe instead". Does that work? Yes, it does. Thus,
the newest version of Deep Freeze, intended to thwart Deep Unfreezer,
continues to be vulnerable.
Deep Freeze protects over four million computers world-wide and over
one million Macs (yes, there's a Deep Freeze for Mac). And most of them
are vulnerable to this attack (not sure about the Macs though). At this
time Faronics does not have a fix, nor an immune version. If you are a
network administrator in charge of maintaining a network of machines
protected by Deep Freeze, please be advised of this situation and be
prepared.
Faronics does not seem to be taking this seriously. They only made a
token effort to thwart Deep Unfreezer in their latest version. Until
they get serious about things, Deep Freeze is going to be melting away
in the eyes of those who have grown to love and trust the program.
One of the main issues is the fact that so many computers these days
allow Administrator status. Even a lot of internet cafes use Windows XP
Home edition, with the user logged in as Administrator. The developers
at Faronics are committed, however, to protecting the machine even from
Administrators! The problem with that is, as you know, whatever is
taken away from an Administrator, the Administrator can give back to
herself. So if, for example, Deep Freeze removes DebugPrivileges, users
can simply grant it back to themselves.
Another issue is their commitment to non-restrictive use. Their
commitment with Deep Freeze is to protect the machine
non-restrictively. That has worked... until now. I think they may be
forced at this point to admit Administrator accounts can't be
guaranteed protection any longer. Unless they can secure these issues,
I don't see any other way.
A couple of things come to mind to protect against this: you could use
Appsec.exe with Group Policy:
Microsoft Appsec.exe: Application Security Through Group Policy
http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-o.asp
or, you could use another program from Faronics in conjunction with
Deep Freeze, a program called Anti-executable.
Faronics Anti-Executable
http://www.faronics.com/html/AntiExec.asp
The above two options would prevent a perpetrator on your network from
running Deep Unfreezer.
Another obvious option is to not allow Administrator status on machines
any longer (this is an issue Windows Vista addresses. Every
Administrator will have two tokens, one for UAP and one for
full-rights). If you give users only regular, limited accounts, they
won't be able to grant themselves the "Debug Programs" privilege.
The worry-free days of "freeze it and forget it" with Deep Freeze may
be coming to an end. We'll see. Emiliano just released his second
version of Deep Unfreezer, which disables the latest version of Deep
Freeze, v5.60.120.1347. This latest version of Deep Freeze was intended
to thwart Deep Unfreezer. It failed. Deep Unfreezer still worked, even
before Emiliano updated it to specifically include Build 1347.
To learn the current version of Deep Freeze, visit this page:
http://www.faronics.com/html/support.asp
Faronics, Emiliano Scavuzzo, has written a program to thaw Deep Freeze
without knowing the password. It works on almost ALL versions of Deep
Freeze, including the latest version, v5.60.120.1347, released
Oct-20-2005 to supposedly thwart his program-it does not! You can use
Deep Unfreezer to test for the vulnerability on your own machines:
(Disclaimer: this tutorial and information is provided as is, and is
intended for network administrators currently using Deep Freeze on
their networks, to provide them with up-to-date vulnerability
information on the inherent security flaws in the Deep Freeze program.
It is intended to be used for testing purposes only, and is not to be
construed as a "hacking tutorial on how to hack Deep Freeze". Author is
not responsible for abuse of this information. At the end of the
article are a couple of tips on how to secure your machines running
vulnerable Deep Freeze installations.)
Deep Freeze Unfreezer
http://usuarios.arnet.com.ar/fliamarconato/pages/edeepunfreezer.html
Method 1:
To perform the test you must first grant yourself the "Debug Programs"
privilege (revoked by Deep Freeze) by escalating to the Local System
account using Task Scheduler from the command line (Start/run, cmd):
1) Type: at 11:23pm /interactive taskmgr.exe (add one or two minutes
from the current time). [ENTER]
2) Once Task Manager launches, End Task explorer.exe
3) On the Task Manager menu, choose File / New Task (Run...), Type
explorer.exe to launch the explorer shell under the System account
which has Debug Privileges
4) Run Deep Unfreezer from the System account.
Or,
Method 2:
Use ntrights.exe from the Windows Server 2003 Resource Kit, a free
download, http://tinyurl.com/6p6cy, to grant yourself the
SeDebugPrivilege.
Syntax: ntrights -u Users +r SeDebugPrivilege
If you use ntrights, you must be the only user logged on, and you must
logoff and logon again before the privilege takes effect. [If desired,
you can use showpriv.exe, also from the Resouce Kit, to enumerate
SeDebugPrivilege privileges for users and groups after logging off and
logging on again to verify that the privilege has actually been granted
to your account.]
Then run Deep Unfreezer, View Status, click on the Boot Thawed button,
Save Status, and restart the machine. If the machine reboots in thawed
mode, your version of Deep Freeze is vulnerable, and you should take
measures to provide additional security on your machines.
Deep Freeze Evaluation versions are also vulnerable to this attack.
Deep Freeze Evaluation versions can be taken off machines by an
attacker by forwarding the system date past 60-days which will expire
Deep Freeze, causing the computer to restart in thawed mode, allowing
Deep Freeze to be uninstalled. If you're using an evaluation version of
Deep Freeze, here's how to perform this test:
Method 1:
1) Switch to the System account, as described above
2) Double-click the time in the system tray
3) Forward the date past 60-days
4) Restart in thawed mode
5) Use DeepFreezeSTDEval.exe to uninstall Deep Freeze. Deep Freeze is
not uninstalled through Add/Remove Programs. It is uninstalled with the
installation file, and ONLY with the installation file. Yes, the same
file is used to install and uninstall. If you don't have it, download
it here. It's a free download:
Deep Freeze Evaluation -Trial Version - v5.60.120.1347
http://www.faronics.com/exe/DeepFreezeSTDEval.exe
Or,
Method 2:
Use ntrights.exe from the Windows Server 2003 Resource Kit to grant
yourself the SeSystemtimePrivilege.
Syntax: ntrights -u Users +r SeSystemtimePrivilege
You must logoff and logon again for the new privilege to take effect.
Special Note:
Faronics came out with v5.60.120.1347 on 10-20-2005 as a response to
Deep Unfreezer. It proved to be an impotent move. Emiliano's response
to the new version? "rename frzstate2k.exe to anything else. Then
attach to DF5Serve.exe instead". Does that work? Yes, it does. Thus,
the newest version of Deep Freeze, intended to thwart Deep Unfreezer,
continues to be vulnerable.
Deep Freeze protects over four million computers world-wide and over
one million Macs (yes, there's a Deep Freeze for Mac). And most of them
are vulnerable to this attack (not sure about the Macs though). At this
time Faronics does not have a fix, nor an immune version. If you are a
network administrator in charge of maintaining a network of machines
protected by Deep Freeze, please be advised of this situation and be
prepared.
Faronics does not seem to be taking this seriously. They only made a
token effort to thwart Deep Unfreezer in their latest version. Until
they get serious about things, Deep Freeze is going to be melting away
in the eyes of those who have grown to love and trust the program.
One of the main issues is the fact that so many computers these days
allow Administrator status. Even a lot of internet cafes use Windows XP
Home edition, with the user logged in as Administrator. The developers
at Faronics are committed, however, to protecting the machine even from
Administrators! The problem with that is, as you know, whatever is
taken away from an Administrator, the Administrator can give back to
herself. So if, for example, Deep Freeze removes DebugPrivileges, users
can simply grant it back to themselves.
Another issue is their commitment to non-restrictive use. Their
commitment with Deep Freeze is to protect the machine
non-restrictively. That has worked... until now. I think they may be
forced at this point to admit Administrator accounts can't be
guaranteed protection any longer. Unless they can secure these issues,
I don't see any other way.
A couple of things come to mind to protect against this: you could use
Appsec.exe with Group Policy:
Microsoft Appsec.exe: Application Security Through Group Policy
http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-o.asp
or, you could use another program from Faronics in conjunction with
Deep Freeze, a program called Anti-executable.
Faronics Anti-Executable
http://www.faronics.com/html/AntiExec.asp
The above two options would prevent a perpetrator on your network from
running Deep Unfreezer.
Another obvious option is to not allow Administrator status on machines
any longer (this is an issue Windows Vista addresses. Every
Administrator will have two tokens, one for UAP and one for
full-rights). If you give users only regular, limited accounts, they
won't be able to grant themselves the "Debug Programs" privilege.
The worry-free days of "freeze it and forget it" with Deep Freeze may
be coming to an end. We'll see. Emiliano just released his second
version of Deep Unfreezer, which disables the latest version of Deep
Freeze, v5.60.120.1347. This latest version of Deep Freeze was intended
to thwart Deep Unfreezer. It failed. Deep Unfreezer still worked, even
before Emiliano updated it to specifically include Build 1347.
To learn the current version of Deep Freeze, visit this page:
http://www.faronics.com/html/support.asp