Sie sind auf Seite 1von 2

Considering that:

a) Faronics is sending DMCA notices to researchers describing vulnerabilities


in their products[1];
b) there is no security contact or PGP key available on Faronics website;
c) these bugs require local user access and cannot be exploited remotely;
Faronics was not notified in advance.

Faronics Deep Freeze weakly-encrypted password disclosure vulnerability


----------------------------------------------------------------------Application Vendor: Faronics
Vendor URL: http://www.faronics.com
Discovered by: kao <kao.was.here@gmail.com>
Date discovered: Nov-2012
Public disclosure date: Mar-2013
Type of vulnerability: Weak Cryptography - Design Flaw
Background
---------Faronics Deep Freeze is application which allows system administrators to protec
t the core operating
system and configuration files on a workstation or server by restoring a compute
r back to its original
configuration each time the computer restarts. According to Faronics website, th
e software is installed
on over 5 million workstations worldwide.
Versions affected
----------------This vulnerability has been successfully tested on the following versions:
Faronics Deep Freeze Standard 6.10..7.51
Faronics Deep Freeze Enterprise 6.00..7.51
Faronics Deep Freeze Server Standard 6.30..7.51
Faronics Deep Freeze Server Enterprise 6.30..7.51
However, it is suspected that most previous versions are also affected.
Description of vulnerability
---------------------------DeepFreeze user mode process requests DeepFreeze configuration information from
the driver using
IoControl call. Returned buffer contains not only product configuration but also
xor-encrypted password
that allows complete access to DeepFreeze configuration interface. Decryption ke
y is also present in the
buffer.
There are several possible attack vectors:
- Attacker can dump frzstate2k.exe process memory and locate encrypted password
in it.
- Attacker can issue IoControl call and receive configuration information inclu
ding encrypted password.
Proof-of-Concept
---------------See Meltdown and its source code.

Faronics Deep Freeze Enterprise Customization Code Hash disclosure vulnerability


-------------------------------------------------------------------------------Application Vendor: Faronics
Vendor URL: http://www.faronics.com
Discovered by: kao <kao.was.here@gmail.com>
Date discovered: Nov-2012
Public disclosure date: Mar-2013
Type of vulnerability: Weak Cryptography - Design Flaw
Background
---------Faronics Deep Freeze is application which allows system administrators to protec
t the core operating
system and configuration files on a workstation or server by restoring a compute
r back to its original
configuration each time the computer restarts. According to Faronics website, th
e software is installed
on over 5 million workstations worldwide.
Versions affected
----------------This vulnerability has been successfully tested on the following versions:
Faronics Deep Freeze Enterprise 6.00..7.51
Faronics Deep Freeze Server Enterprise 6.30..7.51
However, it is suspected that most previous versions are also affected.
Description of vulnerability
---------------------------After administrator console installation, product asks to enter unique "Customiz
ation Code". Xor-encrypted
32-bit hash of Customization Code is stored in dfc.exe, frzstate2k.exe and dfser
v.exe. These files are
later installed on client machines.
Anyone who has read access to these files (including Guest account) can extract
32-bit hash and use it
to generate One Time Password (OTP) and therefore gain complete access to Deep F
reeze configuration interface.
Proof-of-Concept
---------------See Meltdown and its source code.

References:
[1] http://www.chillingeffects.org/notice.cgi?sID=262