16 Feb 2016

Updated Meltdown and EnigmaVB Unpacker

About Error Messages

Users can't read.

Or maybe they don't want to read. I don't know.

But one thing I know for sure - you must make your tools foolproof. If your tool is showing an error message, make sure even your grandma could understand it. Otherwise you'll be getting lots and lots of invalid bug reports.

For example, this is the error message my EnigmaVB unpacker used to show (as reported by ho3ein at Tuts4You):

It seemed to be very clear to me. First, tool tells user all the versions of Enigma Virtual Box it supports. Then tool explains that it expects to see a PE section with a name ".enigma2" but it found section with a name ".rsrc" instead. To me it's absolutely clear what happened: this file is not protected with Enigma Virtual Box (or it's hacked).

But you won't believe how many times this gets reported as a bug.

There was a similar problem with Meltdown. It clearly stated which versions of DeepFreeze it supports. Then it printed the detected DeepFreeze version. However, the error message didn't explicitly say "This version of DeepFreeze is not supported", it said "DeviceIoControl failed." It makes perfect sense from developer's point of view, but apparently is very confusing for users.

So, here are improved versions of my tools, fixing the error messages and some other stuff..

Improved EnigmaVB Unpacker

First of all, I fixed the error message. I also added detection and tested compatibility with the latest EnigmaVB v7.40. Hopefully, this will make users happier and less confused. smile

Improved Meltdown

Meltdown 1.7 fixes confusing error message with DeepFreeze Standard v8.x. Thanks to Alexander for reporting it.

I also took a closer look at DeepFreeze Enterprise versions and found a way to make Meltdown more user friendly. If DeepFreeze Enterprise v7.20+ is detected, Meltdown will get OTP Token automatically and immediately generate correct password.


Download links

Enigma Virtual Box Unpacker: Please get latest version from this post
Meltdown v1.7: https://www.mediafire.com/?b0bamd3t2d6bbkq

16 Jan 2016

Updated Faronics DeepFreeze and Meltdown

tl;dr - DeepFreeze is still buggy and one-time passwords can be easily generated. Download link: https://www.mediafire.com/?mtpaf3quaifwm3u

What was changed in DeepFreeze version 8.31?

Well, two things.

First, they made an attempt to stop Meltdown from generating correct One Time Passwords (OTP). While doing so, they added a new vulnerability - similar to the one that Meltdown used to obtain password for Deep Freeze Standard version 7.x and older.
Second, they added a licensing mechanism that requires each workstation to be activated. While doing so, they created a new local privilege escalation vulnerability.

What is this new (old) vulnerability?

The problem is in data exchange between driver and the UI component. It's done using DeviceIoControl calls and data are encrypted using changing XOR key. However, the overall communication protocol is badly designed.

So, let's start with the Deep Freeze Standard versions 5.x to 7.x. Communication between UI (frzstate2k.exe) and the driver goes like this:
DFS 7.x
Obviously, it's easy to extract password from the information provided by driver. That's what Meltdown originally did.

Faronics fixed that in Deep Freeze Standard v8.10:
DFS 8.x
Makes total sense, right? I looked at the communication protocol and concluded that the issue is fixed. End of story.

Deep Freeze Enterprise is a different story:
DFE 7.x
This communication makes sense. But all the information necessary to generate OTP was present in dfserv.exe and other executables. So, Meltdown didn't even have to communicate with the driver.

But in the latest version (v8.31) the information to generate OTP is not present in dfserv.exe or other executables. However, Faronics added a new feature to the driver:
DFE 8.31
Where have I seen this design before? smile So, I updated Meltdown to obtain information necessary for OTP generation from DeepFreeze driver. Easy as pie.

Local privilege escalation

It's so good, it deserves a separate blog post.

What do you think about Faronics?

I get this question a lot lately. People who see Meltdown ask that. IT managers who bought DeepFreeze ask that. And even some reverser friends have asked me that. But I'd rather not say anything and let the facts speak for themselves.

  • 2013-Mar-06 - Meltdown is published.
  • 2014-Mar-31 - Faronics closes the vulnerability in DeepFreeze Standard v8.10. No mention of any security issues in the changelog. No security bulletins published. This vulnerability had existed since very early versions of DeepFreeze and it suddenly got fixed. To me, it indicates that Faronics was aware of Meltdown at this moment of time.
  • 2014-Jun-24 - Changes in DeepFreeze Enterprise v8.11 break existing versions of Meltdown. Release notes say "Resolved a security issue that could result in the user accessing Deep Freeze without authorization." No security bulletins published.
  • 2015-May-11 - User reported that Meltdown wasn't working anymore. It took me few hours to add that new round of "extra secure" xor encryption.
  • 2015-Dec-31 - Changes in DeepFreeze Enterprise 8.31 break existing versions of Meltdown. Changelog says "Secured One-Time Password functionality from potential vulnerability." No security bulletins published. They introduce 2 new vulnerabilities in this version.
  • 2016-Jan-12 - Meltdown is updated with another round of xor encryption and 2 new calls to DeviceIoControl API.

You can compare Faronics' behavior and response time to other software companies and make your own conclusions.

Download link for Meltdown 1.6: https://www.mediafire.com/?mtpaf3quaifwm3u

11 May 2015

Improving Meltdown

More than 2 years ago I released Meltdown. It's a proof-of-concept tool that showed several security issues in Faronics DeepFreeze products. Faronics are infamous for their attempts to hide the issues, so I was really curious how it will work out.

Bugs in my code

First, a few bugs in my code surfaced. None of them were in the core components dealing with DeepFreeze, I had that part tested thoroughly. But I overlooked issues with UAC, possibility that Windows are not installed on drive C:\, empty passwords and other edge cases.

All in all, it was a good learning experience.

Requests for source code

The very first version of Meltdown came with a full source code and explanation of the vulnerabilities in Faronics products. Once I started fixing bugs, I released only the updated binary. Yet quite a few people kept asking for the updated source.

To be honest, I have no idea why. So far, I haven't seen a single tool that would be based on my source code, not even a straightforward rip with a changed name and copyrights. Weird..

Bug reports

People reported bugs. Big bugs, small bugs, non-bugs and everything in between.

Most bug reports came from arabic-speaking guys. Some of them even didn't bother to use Google Translate and wrote in their native language. No, I really don't speak Arabic, German, French or Indonesian.

Also, most bug reports came without any actionable information whatsoever. Just "It doesn't work". Well, that's not helpful at all! I really want to help you, but you must tell me more than that. In later versions, I added information to main window about detected OS, 32/64bits, detected DF version, etc, etc. And then I can just ask for a screenshot, it contains most of the info I need to replicate the issue.

It was a good learning experience again. I learned how to make my tools more user-proof.

Faronics response

For a year, there was none.

Then in June 2014 they released DeepFreeze Enterprise 8.11 where the issue was fixed. At least the changelog says so:

7936 Resolved a security issue that could result in the user accessing Deep Freeze without authorization.

Yeah, right.. In reality they just added yet-another-layer of xor-encryption and removed useful data from frzstate2k.exe. But the same data are still present in dfserv.exe.

Wow, that's what I call "resolving a security issue"! smile

In September 2014 they released DeepFreeze Standard 8.10 where the other vulnerability was fixed. However, there was no mention of anything like that in the changelog. From a quick glance, it looks like they finally got their code right and aren't sending xor-encrypted password from driver to usermode anymore.

What now?

I'm presenting you an updated version of Meltdown.

Meltdown v1.5
It shows that vulnerabilities in Enterprise version are still present, just slightly more obfuscated. But security through obscurity does not work!

The glaring vulnerability in Standard version is fixed, and 8.x Standard versions seem to be safe. Funny, isn't it - you'd expect a corporate product to provide better security than home-edition, yet this is not the case.. smile

Download link for Meltdown v1.5: http://www.mediafire.com/?0wc0vv1kauhwxbb