Announcement

Collapse
No announcement yet.

Deep Freeze In Deep Trouble

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deep Freeze In Deep Trouble

    A black-hat computer programmer in Argentina with a grudge against Faronics, Emiliano Scavuzzo, has written a program to thaw Deep Freeze without knowing the password. It works on almost ALL versions of Deep Freeze, including the latest version, v5.60.120.1347, which recently came out (Oct-20-2005) to supposedly be immune to his program—it's not! You can use Deep Unfreezer to test for the vulnerability on your own machines:

    Deep Freeze Unfreezer
    http://usuarios.arnet.com.ar/fliamar...unfreezer.html

    Method 1:

    To perform the test you must first acquire DebugPrivileges (removed by Deep Freeze) by escalating to NT_AUTHORITY (the System account) using Task Scheduler from the command line:

    1) Enter: at 11:23pm /interactive taskmgr.exe (add one or two minutes to the current time)
    2) Once Task Manager launches, End Task on explorer.exe
    3) File / New Task (Run...) Enter explorer.exe to launch the explorer shell under the System account which has Debug Privileges
    4) Run Deep Unfreezer from the System account.

    Method 2:

    OR, use ntrights.exe from the Windows Server 2003 Resource Kit, a free download, http://tinyurl.com/6p6cy, to grant yourself the SeDebugPrivilege.
    Syntax: ntrights -u Users +r SeDebugPrivilege
    If you use ntrights, you must logoff and logon again for the privilege to be active.

    Then run Deep Unfreezer, View Status, click on the Boot Thawed button, Save Status, and restart the machine. If the machine reboots in thawed mode, your version of Deep Freeze is vulnerable, and you should take measures to provide additional security on your machines.

    Deep Freeze Evaluation versions are also vulnerable to this attack. Deep Freeze Evaluation versions can be taken off machines by an attacker by forwarding the system date past 60-days which will expire Deep Freeze, causing the computer to restart in thawed mode, allowing Deep Freeze to be uninstalled. If you're using an evaluation version of Deep Freeze, here's how to perform this test:

    Method 1:

    1) Switch to the System account, as described above
    2) Double-click the time in the system tray
    3) Forward the date past 60-days
    4) Restart in thawed mode
    5) Use DeepFreezeSTDEval.exe to uninstall Deep Freeze. Deep Freeze is not uninstalled through Add/Remove Programs. It is uninstalled with the installation file, and ONLY with the installation file. Yes, the same file is used to install and uninstall. If you don't have it, download it here. It's a free download:

    Deep Freeze Evaluation -Trial Version - v5.60.120.1347
    http://www.faronics.com/exe/DeepFreezeSTDEval.exe

    Method 2:

    Or, use ntrights.exe from the Windows Server 2003 Resource Kit to grant yourself the SeSystemtimePrivilege.
    Syntax: ntrights -u Users +r SeSystemtimePrivilege
    You must logoff and logon again for the new privilege to be in effect.

    Special Note:

    Faronics came out with v5.60.120.1347 on 10-20-2005 as a response to Deep Unfreezer. It proved to be an impotent move. Emiliano's response to the new version? "rename frzstate2k.exe to anything else. Then attach to DF5Serve.exe instead". Does that work? Yes, it does. Thus, the newest version of Deep Freeze, intended to thwart Deep Unfreezer, continues to be vulnerable.

    Deep Freeze protects over four million computers world-wide and over one million Macs (Yes, there's a Deep Freeze for Mac).

    Most Deep Freeze installations around the world are vulnerable to this attack. At this time Faronics does not have a fix, nor an immune version. If you are a network administrator in charge of maintaining a network of machines protected by Deep Freeze, please be advised of this situation and be prepared.

    One of the main issues is the fact that so many computers these days allow Administrator status. Even a lot of internet cafes use Windows XP Home edition, with the user logged in as Administrator. The developers at Faronics are committed, however, to protecting the machine even from Administrators! The problem with that is, as you know, whatever is taken away from an Administrator, the Administrator can give back to himself. So if, for example, Deep Freeze removes DebugPrivilges, users can simply grant it back to themselves.

    Another issue is their commitment to non-restrictive use. Their commitment with Deep Freeze is to protect the machine non-restrictively. That has worked... until now. I think they may be forced at this point to admit Administrator accounts can't be guaranteed protection any longer. Unless they can secure these issues, I don't see any other way.
    Last edited by superdude; October 24, 2005, 08:52.

  • #2
    Nice! I wish I would have thought of that when I was in high school, I would have used it to fix all the computers, such as the viruses that were "deep freezed" into the systems.
    Red Squirrel

    Comment


    • #3
      Thats nice well almost all PC's corporate so to say are installed with this deep freeze thing so its really nice someone pawns it..
      My Digital Signature
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.4.0 (FreeBSD)
      iD8DBQFDT5qLzIuaDTU+nSQRAi6pAJwIT/AhD
      QlSh5A2E7bUh2p2EdRvFwCgliEm
      MIOm7jW92AmMKk7mShBHmTE==7o7u
      -----END PGP SIGNATURE-----

      Comment


      • #4
        Originally posted by aphax
        Thats nice well almost all PC's corporate so to say are installed with this deep freeze thing so its really nice someone pawns it..
        Shakes head at Red Squirrel and Aphax in disgust.
        Did Everquest teach you that?

        Comment

        Working...
        X