.

Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Wed Sep 13, 2006 9:01 am

Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

Hi All,

Deep Freeze use a unique method of disk protection to preserve the exact original standard system configuration on over five million Windows and Macintosh computers worldwide!

According to the Faronics(Developers of Deep Freeze): "Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte."

However, the following is a step by step instruction on how to bypass the Deep Freeze security.

Note: Tested on

  • OS - Windows 2000 and XP edition
  • Deep Freeze - 4.20.020.0598, 4.20.120.0598, 4.20.121.0613, 5.20.220.1125 and 5.30.120.1181

Tools Required

>> Ollydbg (http://www.ollydbg.de/)
to patch the program and run it.
>> OllyScript (Attached or go to  -> http://www.theadmins.info/files/OllyScript.zip)
to run scripts on Ollydgb
>> ASPack 2.12 OEP finder script by hacnho/VCT2k4 (Attached or go to  -> http://www.theadmins.info/files/ASPackO ... Script.txt )
to find the OEP
>> Process Explorer for 2K/XP (http://www.sysinternals.com/)
to see the login program command line

Summary

What we are going to do is to load a new instance of Deep Freeze login program and we'll change it in such a way that it will accept any password as a valid one.

Let the Play Begin

The first thing to do is to find some data that we are going to use later to load our login program instance. For this, load the Process Explorer. Once it is loaded, we can see a list of all the processes our system is running, among them is the login program called FrzState.exe or FrzState2k.exe. You may expand the tree if required to find this program. Right click over the program's name and select "Properties". A new window will be opened with the process properties.

Image

Under the Image tab, note the property named "Command Line". Note down the value of "Command Line" including the three numbers at the end of the property for future use in this tutorial.

Image

Run Ollydbg.

Note: Make sure that OllyScript is properly installed. Make sure that the menu "Plugins" and submenu "OllyScript" is available. If this menu doesn't appear in the program, that means the plugin is not installed properly. To install it, go to the menu "Options" and select "Appearance". In the "Plugin path" box write the address where you copied OllyScript files, press OK and restart the program.


On the 'File' menu select 'Open' and look for the login program file (remember that Process Explorer told you where it was). In the 'Arguments' box write the three numbers you've written down. Click 'Open'. If a warning message box shows up press 'OK'. If a message box is encountered with the content "Do you want to continue the code analysis?" - press 'No'.

Image

We have successfully loaded the program. However the problem we face here is that it is protected with Aspack 2.12 due to which we cannot see the real code. To solve this, we are going to use OllyScript and the ASPack 2.12 OEP finder script. Go to the "Plugins' menu, and then to the "OllyScript" submenu and select "Run Script".

Image

Look for the script and open it. The script will find the OEP (original entry point). If any window shows up dismiss it.

Note: We are now on the OEP. If you are an experienced user you can dump the program using OllyDump to analyze the code with a disassembler.


Image

Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).

Image

In the text box enter the following value according to the Deep Freeze version you have installed and press OK.

VERSION/VALUE
4.20.020.0598 / 40368D
4.20.120.0598 / 40368D
4.20.121.0613 / 4034F5
5.20.220.1125 / 4037E9
5.30.120.1181 / 4037E9

Image

The program will jump to the line of code.

This is the line from where the password verification procedure is called. Let's set a breakpoint here. To do that right click over the line and in the context menu select 'Breakpoint' and then 'Toggle' (or press F2).

Image

We are almost done! Now let's run this new Deep Freeze login program instance. To do that press F9. If everything went right now you should see two Deep Freeze icons on the system tray next to the clock. If Deep Freeze was configured to hide it , instead of two icons you'll see an empty icon.

Note: If the icon doesn't show up is possible that you haven't written the argument three numbers correctly or that you haven't opened the right file.


Image Image

Now activate the login program by double clicking over the icon while you keep the shift key pressed. If there are two icons, is important that you click over the new icon and not over the old one. The login window will appear asking for the password. Write anything in the password box and press ENTER. The breakpoing we set earlier in Ollydbg will activate and the login program will freeze.

Note: If the breakpoint doesn't activate is possible that you've chosen the wrong icon. Try with the other one.


Image

On Ollydbg press F8 to step over the function call. On the registers window (to the right of the code) you'll see that EAX register has the value 00000000. That means the password is incorrect, let's change that. Double click over the value of EAX to open the modification window. In the 'Hexadecimal' text box write 1 and press OK.

Image

Image

Now press F9 to continue. If everything went right the Deep Freeze configuration dialog will show up.

Image

Hope you all enjoyed this small journey. Please do comment on ur experience with this.

digg this tutorial if ur so inclined.

Regards,

Morpheus

Tutorial References:
hxxp://www.securiteam.com/windowsntfocu ... 1FG0S.html
Last edited by morpheus063 on Tue Dec 06, 2011 9:49 pm, edited 1 time in total.
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Sep 13, 2006 11:13 am

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

Well done. Many thanks to you and the team at The Admins.

Of course, being The Ethical Hacker Network, I'd love to see you add some defenses against this attack, even if it's a simple as having an enterprise grade host firewall.

Don
Last edited by don on Wed Sep 13, 2006 12:06 pm, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Thu Sep 14, 2006 10:09 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

Hi Don,

Thanks for the reply and for the reference to The Admins.

As far as the countermeasure is concerned, the following points can be considered:

Since the vulnerability discussed is all about manipulating the application exe, the product organization has to be informed at the earliest (which I have done) and the update should be applied.
Assuming that there is no patch released or the new patch / version is still vulnerable, the following two points can be considered:

1. Host Management - Generally, the application (Deep Freeze) will be running under the SYSTEM credentials. So if we set a trigger to fire a mail or log, when the locally logged in user is accessing the application exe, the admin (if he is checking his mails and logs) can easily come to know about it. The only point to remember here is that the logs should not be set on the subject host as all the files (including the logs) are deleted by the Deep Freeze after restarted (under default installation). So the logs should be send to or logged in a remote machine.

2. Manual Verification
- Manual verification of the application is the next solution to make sure that the system is not compromised.

Please feel free to correct me where I am wrong and come up with new countermeasures.

Regards,

Morpheus
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

LSOChris

Post Thu Sep 14, 2006 10:49 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

really good article!

with proper group policy you MAY be able to keep people from running two instances of the program or not having access to the program files folder as a solution to the hack.

great job  on the article.
<<

redhat123

Newbie
Newbie

Posts: 1

Joined: Sat Oct 14, 2006 3:09 pm

Post Sat Oct 14, 2006 3:19 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

Excellent tutorial!!! I am very close to disabling DeepFreeze but I'm currently stuck at these steps:

Right click over the code and a context menu will appear, select 'Go to' and then 'Expression' (or use the shortcut Ctrl+G).
In the text box enter the following value according to the Deep Freeze version you have installed and press OK.

VERSION/VALUE
4.20.020.0598 / 40368D
4.20.120.0598 / 40368D
4.20.121.0613 / 4034F5
5.20.220.1125 / 4037E9
5.30.120.1181 / 4037E9
The program will jump to the line of code.


My question is: What is the correct value for version 6.00.220.1523 and how does one find out this information?
Thanks.
<<

lovepascal

Newbie
Newbie

Posts: 1

Joined: Wed Jan 31, 2007 3:09 am

Post Wed Jan 31, 2007 3:46 am

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

VERSION/VALUE
DeepFree 6.0. ../ ?

Do the have not who respond so?
Help me ! What is the process to raid the bear the address offset of DeepFree ?
Sorry, because I be the Vietnam, ought to very evil English language, all the spruce be touched all right.

=======================
The language is Vietnamese
=======================

Hướng dẫn này được tôi dịch ra tiếng Việt, sau đó có post 1 số forum và được các bạn nhiệt liệt hoan nghênh.
Nhưng hiện nay đã xuất hiện cái DeepFree 6.0. ... Tôi không có VALUE của các phiên bản này.

Vậy, các bạn hãy giúp đỡ - nhất là anh The Morpheus - hướng dẫn tôi quá trình truy tìm địa chỉ offset của DeepFree (cái con số VALUE). Xin cảm ơn thật nhiều.

Xin lỗi, Bởi vì tôi là người Việt Nam, Nên ngôn ngữ Tiếng Anh rất tệ, tất cả thông cảm nhé !
<<

dadwhiskers

Post Sun Feb 24, 2008 11:39 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

The OllyScript.zip link is dead, and no live link googles.  Please send it to me in an attachment if you can.  dadwhiskers@gmail.com
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Mon Feb 25, 2008 3:37 am

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

Hi dadwhisters,

The links are attached to the post. Please refer the attachments to the post: you can see something like this:

* OllyScript.zip (104.69 KB - downloaded x times.)
* ASPackOEPfinderScript.txt (0.6 KB - downloaded x times.)

Click on that and you will get the files.

Regards
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

xxxxx

Newbie
Newbie

Posts: 2

Joined: Thu Feb 28, 2008 12:00 pm

Post Thu Feb 28, 2008 12:22 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

on deep freeze 6.10.20.1616 there are about 30 lines of code which resemble the call frzstate line of code described for deep freeze 5. these lines begin at 0069D83A and are found at regular intervals until 0069EBOE. maybe it might be possible that one of these lines will disable the password protection if the procedure described for deep freeze 5 is followed.
Last edited by xxxxx on Thu Feb 28, 2008 12:24 pm, edited 1 time in total.
<<

zr0crsh

Newbie
Newbie

Posts: 14

Joined: Tue Apr 24, 2007 8:31 am

Post Thu Feb 28, 2008 2:50 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

Version 6 may not be vulnerable. Remember, this issue came out in 2005.

http://www.securiteam.com/windowsntfocu ... 1FG0S.html
<<

djamog

Newbie
Newbie

Posts: 1

Joined: Fri Jul 25, 2008 12:27 pm

Post Fri Jul 25, 2008 12:35 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

me too i also nid the files email it to me also valdez_iii@yahoo.com

and djamog10@gmail.com  thks.................
<<

sticla

Newbie
Newbie

Posts: 1

Joined: Tue Aug 05, 2008 4:02 am

Post Tue Aug 05, 2008 4:20 am

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

ollyscript.zip is corruped..
<<

Steal_Everything8

Newbie
Newbie

Posts: 1

Joined: Tue Sep 30, 2008 5:21 pm

Post Tue Sep 30, 2008 5:36 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

It doesn't really matter, considering that it's been patched.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Oct 01, 2008 3:07 am

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

Steal_Everything8 wrote:It doesn't really matter, considering that it's been patched.


Of course every system in the world is fully patched.....
<<

xxxxx

Newbie
Newbie

Posts: 2

Joined: Thu Feb 28, 2008 12:00 pm

Post Sat Oct 18, 2008 4:10 pm

Re: Unfreeze The Deep Freeze - Step by Step tutorial to bypass Deep Freeze

most likely it is true that deep freeze 6 has been patched but i havn't been able to locate any leads. maybe there may be some way to detect the password with some program which someone may know about.
Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software