Tag Archives: vulnerability

16 Jan 2016

Local Privilege Escalation Bug in Faronics Deep Freeze

While preparing update for Meltdown, I encountered a textbook error in Faronics Deep Freeze Enterprise v8.31. So, here goes..

Running With Unnecessary Privileges

frzstate2k.exe is application responsible for displaying Deep Freeze Workstation Configuration dialog. To do that, it sits in the system tray and communicates with DeepFreeze driver.

For reasons I really can't understand, this simple UI component is executed under SYSTEM account. To make matters worse, it doesn't even drop unnecessary privileges. All these are textbook errors and Microsoft has spent last 10+ years trying to educate programmers and eliminate these kinds of bugs.

Here's the great presentation from Black Hat 2006 about this subject (slides 7-15): Security Engineering in Windows Vista

Abusing Common Dialogs

Microsoft Windows provide APIs for creating nice standard dialogs like "Open File.." and "Save As.." These dialogs are heavily integrated with Windows shell and offer much more than just file selection - within the dialog box you can do almost anything you can do using Windows Explorer. Like executing other applications..

Due to that, these dialogs are often used to break out of Terminal Server environment or to elevate local user privileges. Here is a quite good tutorial covering the basics: Breaking out of applications.

These attacks are also very old. Here's nice presentation from year 2008: Hacking Internet Kiosk’s

Putting it all together

Here's how any user can get SYSTEM privileges in 5 easy steps:

  1. user is logged on using low-privilege account,eg. belongs to "users" group;

    2. 1-user-privs

  2. user gains access to workstations DeepFreeze administration interface (eg. using password generated by Meltdown);

    3. 2-deepfreeze-ui

  3. user presses "Activate Now" -> "Activate Offline" -> "Next" -> and presses either of the 2 buttons that open "Save As" or "Open" dialogs;

    4. 3-create-activation

  4. since FrzState2k.exe is running under SYSTEM account, these dialogs give access to anything SYSTEM account has access to.
  5. user navigates to C:\Windows\System32\ , right-clicks cmd.exe, and chooses Open.

    6. 4-select-cmd

  6. cmd.exe is executed under SYSTEM account.

    7. 5-game-over

  7. game over.

Mitigating factors?

This attack was verified against 30-day evaluation version of Deep Freeze Enterprise. It is possible that after the workstation is activated, the "Activate Now" button is disabled and there's not an easy way to access it. This would (accidentally) limit attacks only to workstations that haven't been activated yet.

Conclusion

It's hard to write anything here without using inappropriate language. Faronics positions itself as a security company, yet their products contain textbook errors like these. Make your own conclusions.

16 Jan 2016

Updated Faronics DeepFreeze and Meltdown

tl;dr - DeepFreeze is still buggy and one-time passwords can be easily generated. Download link: https://www.mediafire.com/?mtpaf3quaifwm3u

What was changed in DeepFreeze version 8.31?

Well, two things.

First, they made an attempt to stop Meltdown from generating correct One Time Passwords (OTP). While doing so, they added a new vulnerability - similar to the one that Meltdown used to obtain password for Deep Freeze Standard version 7.x and older.
Second, they added a licensing mechanism that requires each workstation to be activated. While doing so, they created a new local privilege escalation vulnerability.

What is this new (old) vulnerability?

The problem is in data exchange between driver and the UI component. It's done using DeviceIoControl calls and data are encrypted using changing XOR key. However, the overall communication protocol is badly designed.

So, let's start with the Deep Freeze Standard versions 5.x to 7.x. Communication between UI (frzstate2k.exe) and the driver goes like this:
DFS 7.x
Obviously, it's easy to extract password from the information provided by driver. That's what Meltdown originally did.

Faronics fixed that in Deep Freeze Standard v8.10:
DFS 8.x
Makes total sense, right? I looked at the communication protocol and concluded that the issue is fixed. End of story.

Deep Freeze Enterprise is a different story:
DFE 7.x
This communication makes sense. But all the information necessary to generate OTP was present in dfserv.exe and other executables. So, Meltdown didn't even have to communicate with the driver.

But in the latest version (v8.31) the information to generate OTP is not present in dfserv.exe or other executables. However, Faronics added a new feature to the driver:
DFE 8.31
Where have I seen this design before? smile So, I updated Meltdown to obtain information necessary for OTP generation from DeepFreeze driver. Easy as pie.

Local privilege escalation

It's so good, it deserves a separate blog post.

What do you think about Faronics?

I get this question a lot lately. People who see Meltdown ask that. IT managers who bought DeepFreeze ask that. And even some reverser friends have asked me that. But I'd rather not say anything and let the facts speak for themselves.

  • 2013-Mar-06 - Meltdown is published.
  • 2014-Mar-31 - Faronics closes the vulnerability in DeepFreeze Standard v8.10. No mention of any security issues in the changelog. No security bulletins published. This vulnerability had existed since very early versions of DeepFreeze and it suddenly got fixed. To me, it indicates that Faronics was aware of Meltdown at this moment of time.
  • 2014-Jun-24 - Changes in DeepFreeze Enterprise v8.11 break existing versions of Meltdown. Release notes say "Resolved a security issue that could result in the user accessing Deep Freeze without authorization." No security bulletins published.
  • 2015-May-11 - User reported that Meltdown wasn't working anymore. It took me few hours to add that new round of "extra secure" xor encryption.
  • 2015-Dec-31 - Changes in DeepFreeze Enterprise 8.31 break existing versions of Meltdown. Changelog says "Secured One-Time Password functionality from potential vulnerability." No security bulletins published. They introduce 2 new vulnerabilities in this version.
  • 2016-Jan-12 - Meltdown is updated with another round of xor encryption and 2 new calls to DeviceIoControl API.

You can compare Faronics' behavior and response time to other software companies and make your own conclusions.

Download link for Meltdown 1.6: https://www.mediafire.com/?mtpaf3quaifwm3u