Network Security: Detailed info on [NT] Deep Freeze Unfreezer

Subject:	[NT] Deep Freeze Unfreezer - Bypassing Deep Freeze Authentication
Date:	15 Jun 2005 10:36:02 +0200
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Deep Freeze Unfreezer - Bypassing Deep Freeze Authentication
------------------------------------------------------------------------


SUMMARY

 <http://www.faronics.com/html/deepfreeze.asp> Deep Freeze "makes 
computing environments easier to manage and maintain. Each restart 
eradicates all changes and resets the computer to its original state, 
right down to the last byte". This article describes a method to bypass 
the Deep Freeze's authentication mechanism.

DETAILS

Tools needed:
 <http://home.t-online.de/home/Ollydbg/> Ollydgb to patch the program and 
run it.

 <http://ollyscript.apsvans.com/> OllyScript to run scripts on Ollydgb.

 <http://ollyscript.apsvans.com/> ASPack 2.12 OEP finder script by 
hacnho/VCT2k4 to find the OEP.

 <http://www.sysinternals.com/> Process Explorer for 2K/XP to see the 
login program command line.

 <http://protools.cjb.net/> DeASPack for AsPack 2.11 to unpack the login 
program. (for Deep Freeze 3.32.000.0534)

Summary:
What we are going to do is to load a new instance of Deep Freeze login 
program and we'll change it in such a way that it will accept any password 
as a valid one.

Let's get to work:
1. The first thing we are going to do is finding some data we're going to 
use later to load our login program instance. To do that load Process 
Explorer. In this program we can see a list of all the processes our PC is 
running, among them is the login program called FrzState.exe or 
FrzState2k.exe. Find this program on the list, expanding the tree if 
necessary. Once you've found it, right click over the program's name and a 
menu with options will show up. Select the option 'Properties'. A window 
will show up with the process properties.

2. In the properties window you'll see a property called 'Command line'. 
On this box you can see the program's location, remember that. At the end 
of the text box there are three numbers that you have to write down to use 
later. Once you've written them down you can close Process Explorer.

Deep Freeze for Windows 2K/XP
3. Now run Ollydbg. Note: Make sure OllyScript is properly installed. 
There should be a menu called 'Plugins' where you'll find a submenu called 
'OllyScript'. If this menu doesn't appear in the program, that means you 
haven't installed the plugin properly. To install it, go to the menu 
'Options' and select 'Appearance'. In the 'Plugin path' box write the 
address where you copied OllyScript files, press OK and restart the 
program.
On the menu 'File' select 'Open' and look for the login program file 
(remember that Process Explorer told you where it was). In the 'Arguments' 
box write the three numbers you've written down. Now click 'Open'. If a 
warning message box shows up press 'OK', and if later a message box ask 
you if you want to continue the code analysis press 'No'.

4. We have loaded the program, the problem is that it's protected with 
Aspack 2.12 and we can't see the real code. To solve this we're going to 
use OllyScript and the ASPack 2.12 OEP finder script. Go to the 'Plugins' 
menu, and then to the 'OllyScript' submenu and select 'Run script'.

5. Look for the script and open it. The script will find the OEP (original 
entry point). If any window shows up dismiss it. Note: We are now on the 
OEP. If you are an experienced user you can dump the program using 
OllyDump to analyze the code with a disassembler.

6. Deep Freeze can be configured to hide the system tray icon (next to the 
clock). If you can't see the Deep Freeze icon follow the steps on this 
Annex and then resume this tutorial.

7. Right click over the code and a context menu will appear, select 'Go 
to' and then 'Expression' (or use the shortcut Ctrl+G).

8. In the text box enter the following value according to the Deep Freeze 
version you have installed and press OK.

Version                  Value
4.20.020.0598   40368D
4.20.120.0598   40368D
4.20.121.0613   4034F5
5.20.220.1125   4037E9
5.30.120.1181   4037E9

The program will jump to that line of code.
9. This is the line from where the password verification procedure is 
called. Let's set a breakpoint here. To do that right click over the line 
and in the context menu select 'Breakpoint' and then 'Toggle' (or press 
F2).

10. We are almost done! Now let's run this new Deep Freeze login program 
instance. To do that press F9. If everything went right now you should see 
two Deep Freeze icons on the system tray next to the clock. If Deep Freeze 
was configured to hide it (read annex), instead of two icons you'll see an 
empty icon.
Note: If the icon doesn't show up is possible that you haven't written the 
argument three numbers correctly or that you haven't opened the right 
file.

11. Now activate the login program by double clicking over the icon while 
you keep the shift key pressed. If there are two icons, is important that 
you click over the new icon and not over the old one. The login window 
will appear asking for the password. Write anything in the password box 
and press ENTER. The breakpoint we set earlier in Ollydbg will activate 
and the login program will freeze.
Note: If the breakpoint doesn't activate is possible that you've chosen 
the wrong icon. Try with the other one.

12. On Ollydbg press F8 to step over the function call. On the registers 
window (to the right of the code) you'll see that EAX register has the 
value 00000000. That means the password is incorrect, let's change that. 
Double click over the value of EAX to open the modification window. In the 
'Hexadecimal' text box write 1 and press OK.

13. Now press F9 to continue. If everything went right the Deep Freeze 
configuration dialog will show up.

Deep Freeze 5.20.250.1125 and 5.30.150.1181 (Windows 9X):
3. Now we're going to kill the login program. If you try to close it now 
you'll see that the process shows up again on the list. To close it for 
good we first have to kill the process called MSGSRV32.EXE. Look for this 
process on the list, then right click over it and select 'Kill Process'. 
If a confirmation message appears answer Yes. Next, right click over the 
process FrzState9X.exe and select 'Kill Process' again. Now the login 
program should be dead. Note: If the icon of Deep Freeze still remains on 
the system tray next to the clock, hover the mouse cursor over it to make 
it disappear.

4. Now run Ollydbg. Note: Make sure OllyScript is properly installed. 
There should be a menu called 'Plugins' where you'll find a submenu called 
'OllyScript'. If this menu doesn't appear in the program, that means you 
haven't installed the plugin properly. To install it, go to the menu 
'Options' and select 'Appearance'. In the 'Plugin path' box write the 
address where you copied OllyScript files, press OK and restart the 
program. On the menu 'File' select 'Open' and look for the login program 
file (remember that Process Explorer told you where it was). Now click 
'Open'. If a warning message box shows up press 'OK', and if later a 
message box ask you if you want to continue the code analysis press 'No'.

5. We have loaded the program, the problem is that it's protected with 
Aspack 2.12 and we can't see the real code. To solve this we're going to 
use OllyScript and the ASPack 2.12 OEP finder script. Go to the 'Plugins' 
menu, and then to the 'OllyScript' submenu and select 'Run script'.

6. Look for the script and open it. The script will find the OEP (original 
entry point). If any window shows up dismiss it. Note: We are now on the 
OEP. If you are an experienced user you can dump the program using 
OllyDump to analyze the code with a disassembler.

7. Right click over the code and a context menu will appear, select 'Go 
to' and then 'Expression' (or use the shortcut Ctrl+G).

8. In the text box enter the following value according to the Deep Freeze 
version you have installed and press OK.

Version              Value
5.20.250.1125   408D34
5.30.150.1181   408E08

The program will jump to that line of code.

9. In this line the program decides if the password is correct. Let's set 
a breakpoint here. To do that right click over the line and in the context 
menu select 'Breakpoint' and then 'Toggle' (or press F2).

10. We are almost done! Now let's run this new Deep Freeze login program 
instance. To do that press F9. If Deep Freeze is configured to show the 
icon, now you'll see it on the system tray next to the clock.

11. Now activate the login program by double clicking over the icon while 
you keep the shift key pressed or by pressing CTRL+ALT+SHIFT+F6. The login 
window will appear asking for the password. Write anything in the password 
box and press ENTER. The breakpoint we set earlier in Ollydbg will 
activate and the login program will freeze.

12. On the registers window (to the right of the code) you'll see that the 
Z flag is set to 1. That means the password is incorrect, let's change 
that. Double click over the Z flag value and you'll see it changes to 0.

13. Now press F9 to continue. If everything went right the Deep Freeze 
configuration dialog will show up.

Deep Freeze 3.32.000.0534 (Windows 9X):
3. Now we're going to kill the login program. If you try to close it now 
you'll see that the process shows up again on the list. To close it for 
good we first have to kill the process called MSGSRV32.EXE. Look for this 
process on the list, then right click over it and select 'Kill Process'. 
If a confirmation message appears answer Yes. Next, right click over the 
process FrzState.exe and select 'Kill Process' again. Now the login 
program should be dead. Note: If the icon of Deep Freeze still remains on 
the system tray next to the clock, hover the mouse cursor over it to make 
it disappear.

4. This version of Deep Freeze is protected with Aspack 2.11, so before we 
can work with the login program we have to unpack the file, and for that 
we are going to use DeASPack. Run DeASPack and a dialog box will show up 
and ask you to select a file to unpack. Look for the login program file 
(remember that Process Explorer told you where it was). Now click 'Open'. 
The program will unpack the file and the dialog box will close.

5. Now run Ollydbg. On the menu 'File' select 'Open' and look for the 
unpacked file. The file is called out.exe and is in the same folder the 
login program is. Nex click 'Open'.

6. When Ollydbg finish analyzing the program, right click over the code 
and a context menu will appear, select 'Go to' and then 'Expression' (or 
use the shortcut Ctrl+G).

7. In the text box enter 417410 and press OK. The program will jump to 
that line of code.

8. In this line the program decides if the password is correct. Let's set 
a breakpoint here. To do that right click over the line and in the context 
menu select 'Breakpoint' and then 'Toggle' (or press F2).

9. We are almost done! Now let's run this new Deep Freeze login program 
instance. To do that press F9. If Deep Freeze is configured to show the 
icon, now you'll see it on the system tray next to the clock.

10. Now activate the login program by double clicking over the icon while 
you keep the shift key pressed or by pressing CTRL+ALT+SHIFT+F6. The login 
window will appear asking for the password. Write anything in the password 
box and press ENTER. The breakpoint we set earlier in Ollydbg will 
activate and the login program will freeze.

11. On the registers window (to the right of the code) you'll see that the 
Z flag is set to 1. That means the password is incorrect, let's change 
that. Double click over the Z flag value and you'll see it changes to 0.

12. Now press F9 to continue. If everything went right the Deep Freeze 
configuration dialog will show up.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:anshoku@yahoo.com> Emiliano 
Torres.
The original article can be found at:  
<http://usuarios.arnet.com.ar/fliamarconato/> 
http://usuarios.arnet.com.ar/fliamarconato/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
<Prev in Thread]	Current Thread	[Next in Thread>
[NT] Deep Freeze Unfreezer - Bypassing Deep Freeze Authentication, SecuriTeam <=
Previous by Date:	[REVS] Meanwhile - On the Other Side of the Web Server, SecuriTeam
Next by Date:	[NT] Cumulative Security Update for Internet Explorer (MS05-025), SecuriTeam
Previous by Thread:	[REVS] Meanwhile - On the Other Side of the Web Server, SecuriTeam
Next by Thread:	[NT] Cumulative Security Update for Internet Explorer (MS05-025), SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]
[NT] Deep Freeze Unfreezer - Bypassing Deep Freeze Authentication
