COMMAND
Foolproof
SYSTEMS AFFECTED
Foolproof
PROBLEM
Bryan Hughes found following. FoolProof Security is a desktop
security application for Windows 95/98/ME. Its purpose is to
block users from accessing all programs, except those which are
intended by the administrator. Additionally, it is intended to
allow the user to only save files to specific locations (usually
the floppy disk drive). FoolProof Security is usually found in
computer labs, or on publicly accessible systems.
A vulnerability exsists in FoolProof Security, in that it
restricts certain programs to be executed only by name. By
renaming a restricted program, it can be successfuly executed.
This vulnerability can be used to sucessfully circumvent the
security measures put forth by FoolProof, and even remove it
entirely from the system.
The following is an example. On a system with FoolProof Security
installed open an MS-DOS Shell (usually found in Start Menu ->
Programs -> Accessories). ['COMMAND.EXE' is not restricted by
FoolProof.] At the command prompt issue the 'ftp' command and
open a connection to an ftp server in which you have write access
to. ['FTP.EXE' is not restricted by FoolProof.] Upload the
restricted program in which you wish to run. [such as 'deltree',
'xcopy', 'edit', 'fdisk', and 'format'.] Afterwords, download
these programs under a different name. [Use names other than
those of restricted programs. Names such as 'tmp001a.exe' work.]
You will now be able to use these programs, just as if they were
the restricted equivilant.
Side Note: Although you can use this process to use 'regedit', the
registry is still locked by FoolProof.
HD added more. He once had the privilege of having to reconfigure
a huge group of machines running Windows 95 and the current
FoolProof software, without the aid of the FoolProof admin
password. The best way to bypass the system is by creating a
Visual Basic macro in Word, and code up a run window and registry
editing system via the Win32 API (you can disable FP from the
registry). He copied the macro'd document onto a floppy and made
my rounds, disabling FP and changing the network settings via a
single button. Every FP/Windows installation seen allows the MS
Office suite to be run, allowing full access to the system via the
VBA macro interface. The same holds true to other Desktop
"security" programs (WinShield, SherLock).
SOLUTION
A quick fix, would be the removal of the 'ftp' client (although
it will still be possible to download a simple ftp client that
will do the same job). Additionally, any shortcuts to 'command'
should be removed, as this method will not work without it.
Sparty added following. The first solution is to compile a list
of allowed executables and lock the filesystem (Fortres for
Windows will attempt this). However, since Windows 9x/Me isn't a
multiuser OS by design, many apps expect to have full reign over
their environment. In particular, Microsoft Office likes to make
changes to its program directory. The scenario seen is that a
user is allowed to write to the Microsoft Office directory with
winword.exe, for example. So the user seeking additional access
will start winword and copy command.com (or explorer.exe or the
other program of his or her choice) over the Excel executable.
The user then runs "Excel" and has much greater access to the
system. If the filesystem and registry are somehow locked, they
are still limited, but this scenario provides a way to execute
arbitrary code even in a controlled environment.
Of course, using anything other than Ghost to secure a windows
95/98/me host is doomed to failure.