Date: Wed, 4 Nov 1998 15:55:09 -0500
From: Krish Jagannathan 
To: BUGTRAQ@netspace.org
Subject: FoolProof for PC Exploit

I figured this much out -- if you are running on FoolProof for the PC
(Win9x) and you boot up in safe mode (with or without network support) it
will bypass the FoolProof TSR and enable full privileges, even deleting
the FoolProof directory.
---
Krish Jagannathan
krisjag@juno.com
YCHJCYADTKCF

___________________________________________________________________

Date: Mon, 9 Nov 1998 15:48:36 -0500
From: Erik Soroka 
To: BUGTRAQ@netspace.org
Subject: Re: FoolProof for PC Exploit

On Wed, 4 Nov 1998 15:55:09 -0500, Krish Jagannathan wrote:

>I figured this much out -- if you are running on FoolProof for the PC
>(Win9x) and you boot up in safe mode (with or without network support) it
>will bypass the FoolProof TSR and enable full privileges, even deleting
>the FoolProof directory.

Another point of reference dealing with this program (and a much cleaner
approach) -- FoolProof for Windows 9x stores the administrator password in
plaintext in the Windows Swap file.  All you have to do is boot up into safe
mode (as mentioned above), copy the swap file to a temporary filename, reboot
into windows and use a hex editor to search the swapfile for the string,
"FOOLPROO" and right after will be the actual password.


foolproof - adj.  (1)  "so simple, plain, or reliable as to leave no opportunity
for error, misuse, or failure..."


The name of this "security" program doesn't seem to fit the numerous bugs and
glitches it has -- however it is a neat program with some nice features that
might come in handy on systems accessible to the public.

Enjoy.




______________________________________________________________

 Erik M. Soroka  (NIC: ES2600)  |  Voice/Fax: 508.669.5208
 KIREnet Communications Inc.    |  Page/Beep: 978.629.3322
 Web: http://www.kirenet.com    |  E-Mail: erik@kirenet.com
______________________________________________________________

___________________________________________________________________

Date: Mon, 9 Nov 1998 14:56:21 -0600
From: axon 
To: BUGTRAQ@netspace.org
Subject: Re: FoolProof for PC Exploit



This works for the macintosh as well.  Holding  down while booting
bypasses extensions.  FoolProof for mac does not load, and ZAP!  Away
with foolproof (or just to temporarily get it out of your way... just
because you can.)  I'm not really a Macintosh guy, but when that's all
you're given on campus through most of your highschool years, you'll
learn to tinker.  Also, if you use the resource editor to open up
foolproof Macintosh, you can find a  (poorly) encoded password.  It's
been 2 or 3 years, but I think it was derived from base 64 or something
silly like that, but memory may serve me incorrectly.  Play around.  You
may be able to find some registry goodies with FoolProof for Win95 (or if
it doesn't do registry handling...you mentioned it's a TSR), maybe break
out your hex editor on some configuration files.

    /|\    / /~\   |\   |
   / | \  / /   \  | \  |
  /__|  >< <     > |  \ |
 /   | /  \ \   /  |   \| -Editor-in-chief, Hackers Information Report E-Zine
/    //    \ \_/  /     /     http://hir.home.ml.org
"A Hacker of the Light..."

___________________________________________________________________

Date: Mon, 9 Nov 1998 13:04:52 -0800
From: Darren Rogers 
To: BUGTRAQ@netspace.org
Subject: Re: FoolProof for PC Exploit

Actually, this works for pretty much any Win9x 'security' add-on.  If the startup menu is disabled (most add-on hacks let you do this
without the text file editing normally required) , a well timed flick of the power switch will enable you to start in safe mode.
DJ

>>> Krish Jagannathan  11/04 12:55 PM >>>
I figured this much out -- if you are running on FoolProof for the PC
(Win9x) and you boot up in safe mode (with or without network support) it
will bypass the FoolProof TSR and enable full privileges, even deleting
the FoolProof directory.
---
Krish Jagannathan
krisjag@juno.com
YCHJCYADTKCF
___________________________________________________________________

Date: Mon, 9 Nov 1998 13:04:53 -0800
From: The Tree of Life 
To: BUGTRAQ@netspace.org
Subject: Re: FoolProof for PC Exploit

This is true for some cases, but the latest FoolProof allows a option that
will prompt for a password if someone presses F5 or F8 at bootup.  It will
then allow you unlimited tries, but you can't resume normal bootup unless
you reboot.  FoolProof also doesn't protect the 'Press Del to enter Setup'
at bootup, so you can reset the boot sector to default (this works on some
models where it resets the boot sector to factory default), which I think
bypasses the F5 thing.  Before that happens though, the boot sector has to
be in memory already (the old one), so that the system can replace the new
one with the old one.

Oh, I've seen a QB program where it records keystrokes, even ctrl and
shift.  Since FoolProof doesn't allow people to run programs externally,
but could open up a text file, just load the .bas file in QB.EXE and maybe
if someone could get it to run in low priority (background process), it
could capture the hotkey.

another thing is that i *think* it is possible (i'll try it tomorrow in
school) is to copy command.com onto a disk, rename it to temp.txt, and
load it in wordpad.  then save it as c:\windows\help\wordpad.hlp (answer
no when it asks you to convert it), and go to help and you'll be dropped
to dos.

I hope that helps.

btw: That gay jester at startup sucks..it's very annoying :)

-t

.--------------------------------------------------------------------------.
|The Media and the Monster: Which is the Creator and which is the creation?|
|--------------------------------------------------------------------------|
|     System Administrator/DNS Network Administrator/Keeper of Gods        |
|Kalifornia.com (c)1998 |   ttol@stuph.org      | http://www.ttol.stuph.org|
`--------------------------------------------------------------------------'

___________________________________________________________________

Date: Mon, 9 Nov 1998 20:23:07 -0800
From: William Tiemann 
To: BUGTRAQ@netspace.org
Subject: Re: FoolProof for PC Exploit

On Wed, 4 Nov 1998, Krish Jagannathan wrote:

>I figured this much out -- if you are running on FoolProof for the PC
>(Win9x) and you boot up in safe mode (with or without network support) it
>will bypass the FoolProof TSR and enable full privileges, even deleting
>the FoolProof directory.
>---
>Krish Jagannathan
>krisjag@juno.com
>YCHJCYADTKCF

This may be true(infact it is true) but is a sign that your administrator
forgot or did not know about F8.  This was the case at a school i know
that just setup FoolProof, forgot F8, and diskette booting, but that was
negligence.
So here is another problem in foolproof

Bug/flaw:

A bug that for all intensive purposes is a bug.  If you can execute 'echo'
with 4 command line arguments  you can disable (esentially delete)
foolproof.

Implication:

Disable _protection_ (if you can call it that) from FoolProof.

Exploit:
echo Hi > c:\fool95\fooltsr.exe
Do this with every file in the foolproof dir (The install directory may
vary).

Fix:

Run a UN*X os instead of a Microsft product?
Seriously though, I have not looked into side effects(or if even possible)
to disable 'echo', so making all files in the foolproof dir (and elsewere
through out the computer, have not looked for them all) read only so you
_cant_ write to them, but also disable attrib changes.





--   Max Inux   Hey Christy!!! KeyID 0x8907E9E5
Kinky Sex makes the world go round O R Strong crypto makes the world safe
       If crypto is outlawed only outlaws will have crypto
Fingerprint(Photo Also): 259D 59F7 D98C CD73 1ACD 54Ea 6C43 4877 8907 E9E5

___________________________________________________________________

Date: Tue, 10 Nov 1998 22:31:43 GMT
From: pcsupport , pcsupport@smartstuff.com
To: BUGTRAQ@netspace.org
Subject: Re: FoolProof for PC Exploit

Michael,

We are prefectly aware that on older versions of FP the password is visible
with a hex editor. But since any school would be foolish to allow such
programs to run in the first place, the issue is a dead end 99.9% of the
time. This is not military style, espionage-level security - it is for public
workstations with restricted purposes and limited applications.

As you indicated, typical computers are exceedingly simple to understand and
horse around with. We agree, and appreciate that most high schoolers can
easily grasp what is required to operate and even program computers. This
should not be surprising to anyone.

That being said, the point of security for most schools is one of convenience
and very casual play with the machines by students. FoolProof can be
configured to be very hard to break indeed, but some schools simply do not
want to configure it in that fashion - and they may well be right if they
know thier students well.

Don't worry - more encryption and more features are always in the works. Take
care,

SmartStuff Software Technical Support
800-671-3999


Michael Ballbach,ballbach@lorien.ml.org writes:
[ I'm cc'ing smartstuff, maybe this time they'll hear us. Smartstuff, feel
free to contact me for more information on what I know. The following
refers to foolproof v1 - v3, on a mac. ]

Holding shift to bypass foolproof on a mac is ineffective if you enable
the disable foolproof bypass on extension bypass option or however it's
phrased in there.

The password is not base64 encoded, and depending on the version there are
various (very poor) methods of trying to obscure it, in the preference
files for versions prior to 3, the password sticks out like a sore thumb,
and with versions 3+ it's a tad more obscure, but the method of encryption
has not changed.

I broke the encryption my freshmen year in high school and it took about
an hour with a piece of paper and a hex editor, I didn't even use a
calculator. The base conversions took the most time. (ok ok two pieces of
paper)

Perhaps these issues coming into the public will force smartstuff to do
something about it, I've contacted them many times and they either ignore
me, or some guy that has no clue what's happening replies and blows me
off.

I'd publish the encryption details but doing so would compromise the
security of thousands of machines (including the ones I used to run), and
I don't think that's worth it... (I think smartstuff would agree) It's a
good program over all, but they really picked a very poor method of
encryption for a program that's supposed to protect machines at
educational institutions... christ I'm a high school drop out and it
wasn't a challenge for me.

    Source: geocities.com/dharan6/library/hack

               ( geocities.com/dharan6/library)                   ( geocities.com/dharan6)