COMMAND

    Foolproof

SYSTEMS AFFECTED

    Foolproof

PROBLEM

    Bryan Hughes  found following.   FoolProof Security  is a  desktop
    security  application  for  Windows  95/98/ME.   Its purpose is to
    block users from  accessing all programs,  except those which  are
    intended by the  administrator.  Additionally,  it is intended  to
    allow the user to only  save files to specific locations  (usually
    the floppy disk  drive).  FoolProof  Security is usually  found in
    computer labs, or on publicly accessible systems.

    A  vulnerability  exsists  in  FoolProof  Security,  in  that   it
    restricts  certain  programs  to  be  executed  only  by name.  By
    renaming a  restricted program,  it can  be successfuly  executed.
    This  vulnerability  can  be  used  to  sucessfully circumvent the
    security  measures  put  forth  by  FoolProof,  and even remove it
    entirely from the system.

    The following is an example.  On a system with FoolProof  Security
    installed open  an MS-DOS  Shell (usually  found in  Start Menu ->
    Programs  ->  Accessories).  ['COMMAND.EXE'  is  not restricted by
    FoolProof.]   At the  command prompt  issue the  'ftp' command and
    open a connection to an ftp server in which you have write  access
    to.   ['FTP.EXE'  is  not  restricted  by  FoolProof.]  Upload the
    restricted program in which you  wish to run. [such as  'deltree',
    'xcopy',  'edit',  'fdisk',  and  'format'.]  Afterwords, download
    these programs  under a  different name.   [Use names  other  than
    those of restricted programs.  Names such as 'tmp001a.exe'  work.]
    You will now be able to  use these programs, just as if  they were
    the restricted equivilant.

    Side Note: Although you can use this process to use 'regedit', the
    registry is still locked by FoolProof.

    HD added more.  He once had the privilege of having to reconfigure
    a  huge  group  of  machines  running  Windows  95 and the current
    FoolProof  software,  without  the  aid  of  the  FoolProof  admin
    password.   The best  way to  bypass the  system is  by creating a
    Visual Basic macro in Word, and code up a run window and  registry
    editing system  via the  Win32 API  (you can  disable FP  from the
    registry).  He copied the macro'd document onto a floppy and  made
    my rounds, disabling  FP and changing  the network settings  via a
    single button.  Every  FP/Windows installation seen allows  the MS
    Office suite to be run, allowing full access to the system via the
    VBA  macro  interface.   The  same  holds  true  to  other Desktop
    "security" programs (WinShield, SherLock).

SOLUTION

    A quick fix,  would be the  removal of the  'ftp' client (although
    it will  still be  possible to  download a  simple ftp client that
    will do the same job).   Additionally, any shortcuts to  'command'
    should be removed, as this method will not work without it.

    Sparty added following.  The  first solution is to compile  a list
    of  allowed  executables  and  lock  the  filesystem  (Fortres for
    Windows will attempt this).  However, since Windows 9x/Me isn't  a
    multiuser OS by design, many  apps expect to have full  reign over
    their environment.  In particular, Microsoft Office likes to  make
    changes to  its program  directory.   The scenario  seen is that a
    user is allowed  to write to  the Microsoft Office  directory with
    winword.exe, for example.   So the user seeking  additional access
    will start winword  and copy command.com  (or explorer.exe or  the
    other program  of his  or her  choice) over  the Excel executable.
    The user  then runs  "Excel" and  has much  greater access  to the
    system.  If the filesystem  and registry are somehow locked,  they
    are still  limited, but  this scenario  provides a  way to execute
    arbitrary code even in a controlled environment.

    Of course,  using anything  other than  Ghost to  secure a windows
    95/98/me host is doomed to failure.