First, some links to the official product:
http://www.faronics.com/enterprise/deep-freeze
And before I do on, read about the Unfreezer which written by Blackhat Emiliano Torres.
http://usuarios.arnet.com.ar/fliamarconato/pages/edeepunfreezer.html
He had managed to break Deep Freeze again and again, at least until v5.7. Then there was nothing. Did version 6 onward finally defeated all the hacks? Well, I am going to the answer is NO. In fact, it just got simpler!
Before I go about talking about hacking Deep Freeze, let me show talk about the critical flaw in the design which can cause some totally disastrous situations which is irrecoverable.
Lets imagine for a moment that you suspect there are malware in the system and the malware is going to clean it up at the next reboot. But hell, you have no idea there was a schedule scan at reboot and you freeze your system drive. What is going to happen? It will boot up and scan the HDD and then maybe it will find the malware and remove it, but it doesn't matter because its frozen. And at the end of the scan, the anti malware would reboot to make sure you boot up clean and good. And then it will reboot, and because the flag for "I have already scanned" is actually not save, it would scan again. Infinite loop. So totally screwed aren't we.
Similarly, if you have a really good defrag program like PerfectDisk or similar product which allows your to perform a boot time defrag for your system files, you can imagine it will be the similar case above. Defrag and it will try to set flag and reboot, but it will not change the flag and it will loop forever.
And now this is the part which I talk about the flaw. YOU CANNOT UNFREEZE UNLESS YOU CAN BOOT INTO WINDOWS!!!! So, there is no way out even if you have the password, the admin access and the physical. OK, let me take it back, you can if you read on. But otherwise, its great format time and a good round of curse and swearing at Deep Freeze.
Now, you will notice I had talked about the flag in the above case. That is the same principle we are going to use to break Deep Freeze. Let's take a look at some of those boot up files which are in Windows system and main directory:
- DepFrzLo.sys (kernel driver)
- DepFrzHi.sys (filesystem driver)
- dfserv.exe (service)
- frzstate.exe (password dialog)
- persis00.sys (password file and “on/off switch”)
If you are sharp, you would already know how I would do it. During one of the penetration test, I was asked if I have and do-not-have physical access, how would I do it. So, lets tackle the have physical access first because its definitely easier.
You can go ahead and delete the filesystem driver, which does not work. The trick actually lies in the persis00.sys or persis0.sys depending on which version. What you will need is the trial version at least and install it on another system with a known password since you install it. Then boot it up and unfreeze the drive and shut down. Copy out the file. I will advise using a WinPE based boot up vie a LiveCD or Mini-XP to read the file out.
What you need to do next is to plant and replace the locked file in the target drive. Using the same method, boot up your LiveCD and mount the drive. Then just replace the file. YES, its that simple. Nothing prevents you from doing anything at all from the LiveCD. Make you feel pretty stupid paying so much for this piece of software don't it?
Anyway, after the file had been replaced, boot it up and its unfreeze. Uninstall it, reinstall it, do whatever you want. And remember to get the flag for your anti malware or defrag software set before getting stuck again in another infinite loop. But what the hell, as long as you keep your unfrozen persis00.sys handy, break it is only limited to how fast your LiveCD can boot up.
So, what if I have no physical access? OK, this part is concept only, since I did not completely test it. Deep Freeze does not protect the boot MBR if you bypass the mass IRP hooking using another driver. OK, you will look at me and give me the WTF look. Yes, Deep Freeze uses rootkit technology obviously. Their IRP hook however could be bypassed. One such tool is MBRKit. With that in, all you need to do it to redirect the boot up somewhere else. For example, another mini-Linux with Samba image. Then put in the boot up script into the boot image to replace the file persis00.sys and of course do remember to set the boot back to normal once it had successfully done so. So does that sound far fetch. Of course NOT. But it has man risk which may cause the system to hang up etc, so extensive testing is required to create such an attack. Of course, I think I just gave the concept design for a Deep Freeze attack rootkit.
So, Deep Freeze is totally crap. No, obviously not. It just had its flaw. Is there a way to prevent this attack. Yes. Consider full disk encryption. And NO. Even with a full disk encryption, there is an unencrypted partition and that could be attacked. Unless its pure hardware based implementation.
I hope this very long article is help to give you some insight on Deep Freeze. While this exposed on way to overcome it, it can prove to be helpful in life and death situation such as the one above. I hope Deep Freeze give this more thought rather than the "We will think about it" when they got hacked by Emiliano Torres.
Download the workable Anti Deep Freeze Rootkit here:
HAHA, sorry no download! :P
No comments:
Post a Comment