16 Jan 2016

Updated Faronics DeepFreeze and Meltdown

tl;dr - DeepFreeze is still buggy and one-time passwords can be easily generated. Download link: https://www.mediafire.com/?mtpaf3quaifwm3u

What was changed in DeepFreeze version 8.31?

Well, two things.

First, they made an attempt to stop Meltdown from generating correct One Time Passwords (OTP). While doing so, they added a new vulnerability - similar to the one that Meltdown used to obtain password for Deep Freeze Standard version 7.x and older.
Second, they added a licensing mechanism that requires each workstation to be activated. While doing so, they created a new local privilege escalation vulnerability.

What is this new (old) vulnerability?

The problem is in data exchange between driver and the UI component. It's done using DeviceIoControl calls and data are encrypted using changing XOR key. However, the overall communication protocol is badly designed.

So, let's start with the Deep Freeze Standard versions 5.x to 7.x. Communication between UI (frzstate2k.exe) and the driver goes like this:
DFS 7.x
Obviously, it's easy to extract password from the information provided by driver. That's what Meltdown originally did.

Faronics fixed that in Deep Freeze Standard v8.10:
DFS 8.x
Makes total sense, right? I looked at the communication protocol and concluded that the issue is fixed. End of story.

Deep Freeze Enterprise is a different story:
DFE 7.x
This communication makes sense. But all the information necessary to generate OTP was present in dfserv.exe and other executables. So, Meltdown didn't even have to communicate with the driver.

But in the latest version (v8.31) the information to generate OTP is not present in dfserv.exe or other executables. However, Faronics added a new feature to the driver:
DFE 8.31
Where have I seen this design before? smile So, I updated Meltdown to obtain information necessary for OTP generation from DeepFreeze driver. Easy as pie.

Local privilege escalation

It's so good, it deserves a separate blog post.

What do you think about Faronics?

I get this question a lot lately. People who see Meltdown ask that. IT managers who bought DeepFreeze ask that. And even some reverser friends have asked me that. But I'd rather not say anything and let the facts speak for themselves.

  • 2013-Mar-06 - Meltdown is published.
  • 2014-Mar-31 - Faronics closes the vulnerability in DeepFreeze Standard v8.10. No mention of any security issues in the changelog. No security bulletins published. This vulnerability had existed since very early versions of DeepFreeze and it suddenly got fixed. To me, it indicates that Faronics was aware of Meltdown at this moment of time.
  • 2014-Jun-24 - Changes in DeepFreeze Enterprise v8.11 break existing versions of Meltdown. Release notes say "Resolved a security issue that could result in the user accessing Deep Freeze without authorization." No security bulletins published.
  • 2015-May-11 - User reported that Meltdown wasn't working anymore. It took me few hours to add that new round of "extra secure" xor encryption.
  • 2015-Dec-31 - Changes in DeepFreeze Enterprise 8.31 break existing versions of Meltdown. Changelog says "Secured One-Time Password functionality from potential vulnerability." No security bulletins published. They introduce 2 new vulnerabilities in this version.
  • 2016-Jan-12 - Meltdown is updated with another round of xor encryption and 2 new calls to DeviceIoControl API.

You can compare Faronics' behavior and response time to other software companies and make your own conclusions.

Download link for Meltdown 1.6: https://www.mediafire.com/?mtpaf3quaifwm3u

42 thoughts on “Updated Faronics DeepFreeze and Meltdown

  1. Hello. I have deep freeze 8.20.020.4589, and i had tried your meltdown and it doesnt work. the message is DeviceIoControl reports failure (1), please help me, i need to close deep freeze.
    thanks in advance. ( and excuss my english)

    • Version 8.20.020.4589 is DeepFreeze Standard version and it's not supported by Meltdown:

      Supported: DeepFreeze Enterprise 5.x-8.31, Standard 6.00-7.72
      Not supported: DeepFreeze Standard 8.x

      The error message about DeviceIoControl is confusing - I will fix that. :)

      • Deep Freeze Recovery Tool v1.7. (c) kao
        Latest version always at {hidden link} and {hidden link}
        Supported: DeepFreeze Enterprise 5.x-8.31, Standard 6.00-7.72
        Not supported: DeepFreeze Standard 8.x

      • Does you tool works with parameters for start? I mean, to start the tool, without showing UI to set Clipboard with generated password, so that just to paste it into DF window?

        • Hi Yury, it doesn't support any parameters or automation. I didn't want it to be used as an automated hacking tool.

      • They said "I don't know what you're talking about...." (According to google translate, probably not a very accurate translation lol)

        Asking others to talk in English is disrespectful, others should not have to accommodate to English speakers, rather, it should be the opposite. Since English is viewed as the "dominant language", it is important to recognize your privilege.

        • I'm not a native English speaker either. English is not even my second language.

          But since you're visiting my personal blog, please kindly obey house rules. One of these rules is using English language in the comments section.

  2. Deep Freeze Standard 7.51 running under Windows 7 Enterprise. Meltdown 1.5 to 1.7 each sucessfully performed, where ADF4 ADF5 Beta wouldn't. Your a genius.

    • Glad you like it. :)

      BTW, email address is not mandatory when making comments - if you don't want me to know it, just leave it blank..

  3. You are a genius thank you very much, you could perform the meltdown for the version of deep freeze 8.30, since when I use your application of my sale an error saying: "This DeepFreeze version is NOT supported"
    thanks.

  4. Hey,could a forgetfull fellow get any help with deepfreeze 8.51.220.5387. I manage a school, and we have 30 laptops with deepfreeze, the old it guy took off and we would like to reinstall windows and get ssd-s in them but we dont know the passwords....:( I tried meltdown but it doesent work, i knew it wouldnt but i hoped :) Will you update meltdown to support newer deepfreeze installs or nope. thnx

    • Hey there,
      1) if you have a valid license, it should be possible to get a support from Faronics directly.
      2) if you've lost your password and just want to change it, booting from any Linux live CD/USB should be enough. IIRC, deleting persi0.sys removes DeepFreeze settings - but I will not give any guarantees or support for that. Try at your own risk.
      3) if you're putting in SSDs and a new system on them, you're looking at a complete reinstall anyway. There is no need to disable DeepFreeze for that.

      So, I really can't see any reason why'd you need Meltdown in the first place. ;)

      To answer your question - no, I'm not planning to add support for DeepFreeze 8.51.220.5387. The old bugs were more or less fixed and the product is OK-ish now.

      • Thanks for the reply.
        1. yes we have a valid license, but it will be an ear sweating phone call with them and i wanted and i hoped for a shorter route.
        2. thank you, good to know :)
        3. Finally we cloned them with deepfreeze in frozen state without a problem...but still there is the problem with the passwords....
        Anyhow thanks for the reply, and the help ;)

  5. Hi bro its not working on deep freeze standard 8.10 and 8.30 kindly upload new version of meltdown as soon as possible thnx alot.

    • Hey, maybe you don't know why I am going to use this tool at first, because my BIOS password lock, and it cannot be reset, then I can't enter the PE, which means I can't install Windows on their own, as to delete the sys files, cannot be started directly, but I think you can plan to add 8.51 support thank you very much! If not, please recommend one that in the case of don't know the password and in the frozen state to remove or uninstall DeepFreeze method or software (I really need it) at the same time I also have their own idea: if I can enter the PE, so you only need to develop a can delete all DeepFreeze installation time is written on the registration list the procedure can achieve the goal of the disabled.

  6. Hi, R/Kao, I've deep freezer V 8.61 installed (don't wanna uninstall) i forgot my password
    I've need any tool like meltdown for password recovery. i'll be glad if you can do anything for
    my issue. Thanks

    • Sorry, I don't have any other version of Meltdown. DeepFreeze v8.x is not supported and I have no plans to change that.

  7. Operating system version 6.1.7601 (64-bits)
    Detected DeepFreeze version 8.30.020.4627
    Probably Standard version.
    DeviceIoControl reports failure (1)

    Please help me to fix it. Thank

    • You skipped the line which says:

      Supported versions: DeepFreeze Standard/Enterprise 6.00-7.72.

      DeepFreeze versions 8.x are not supported and I have no plans to change that.

  8. Hi Kao! Why are you not going to update the meltdown? :< I have version 8.30 and idk how to get the password

    • I answered in the email already, but here it is again, so that people stop asking... :)

      Meltdown demonstrated a specific design flaw in the Deep Freeze, Deep Freeze authors fixed the flaw, end of story.

    • No. As I've explained several times, the point of Meltdown was to demonstrate the issues with Faronics product design. Faronics have fixed the biggest issues with their product, and it's more or less OK now.

      For my point of view - the case is closed, and I've moved on to other projects.

    • You skipped the line which says:

      Supported versions: DeepFreeze Standard/Enterprise 6.00-7.72.

      DeepFreeze versions 8.x are not supported and I have no plans to change that.

Leave a Reply to dess Cancel reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

five  −  three  =