1. The Ctrl+Alt+Shift (other combinations were: Ctrl+Alt+Tab and Ctrl+Alt+Esc) is now Ctrl+Alt+Shift+Enter. The given code must then be used when CALLING SmartStuff for a one-time-use code. The default hot key used to be ALT-CTRL-ESC. With FoolProof 3.7, there is no longer a default hot key. The admin has to specify one and it can be ANY combination of 3 keys.

2. It is no longer always possible to use F5 and F8, with version 3.7. Some previous versions carry a Keylock capability, which locks these keys on boot.

3. Hotkey's are virtually non-existent. They are still an option of course, but many sys admins are figuring this out and disabling them.

4. Editing the Registry is no longer possible unless you have a DUMB-AS-SHIT sys admin. The last few versions of FoolProof have "disable regedit" checked by default. And no Admin is going to turn THAT option off (not even the mac-loving, no-nothing-about-a-pc admin at my school).

5. Saving to the hard drive is also next to impossible. FP protects the Autoexec.bat and Config.sys so that they may not be changed. (you can look at them of course but you can't do any more than that unless you have F5/8.)

6. If the computer is running Win98, it may not be possible to access a run command on System Information. If the computer uses Office97, it may not be possible to use the run command on system information (in many cases the admins have discovered the run command on the system info feature and have uninstalled that component of Office (Same with the shortcut bar)).

7. Also the spacebar and shift key trick is "fixed" with the introduction of MacOS8.

   Quisit

"Foolproof information for version 3.7" was submitted by Quisit.

There are a few updates with version 3.8 that are worth mentioning. First of all, there is a new feature in 3.8 that can "lock a dangerous program". I have no idea what this means, but it most likely is referring to programs such as viruses and trojans that can damage the computer. All this means is that you need to use discretion in case you wish to install a keylogger or any other rogue program.

Secondly, there are two new "Foolproof" policy options available in the Network settings. The first one is the ability of Foolproof to make the network validate the user login name and password before allowing access to the system. I don't know when the authentication is presented to the user. It could either be when the computer is in DOS or Windows mode. If it is in DOS mode, then that might suggest that whenever the computer starts, the user has to put a valid username and password into a login prompt and then and only then will Windows start up. If that is the case, then that is the only way you can get access to Windows. If the authentication is presented in Windows, then that simply means that a valid username and password must be entered for access to the Desktop and the Windows network. These two possibilities are entirely possible, but there is a third and much more likely possibility. The loophole that Foolproof is probably attempting to close here is this:

Whenever someone starts up the computer, DOS runs and then DOS will automatically load Windows. When Windows boots up it will want a valid username and password before anyone can access the desktop and network (and more importantly, the contents of the hard drive). You might notice that if you are on a LAN and you need access to the Windows environment from a Windows login prompt, all you have to do is press ESCAPE and you are automatically kicked into a default Windows desktop. Foolproof is probably just preventing you from doing that, but I should say that I don't know for sure because I don't have version 3.8 which means I haven't been able to test it. You will have to see for yourself.

Improvements in release 3.9.3 (released 1/21/00):

Modifications have been made to make FoolProof Security compatible with the LabExpert network management and Vision classroom demonstration and remote control applications.

Improvements in release 3.9 (released 9/1/99):

1. A new group option has been added to Group Settings. "Network Login Group Name" allows FoolProof to recognize groups created by both NT and Novell and will assign the necessary permissions.

2. Access to the Close Program dialog via Control-Alt-Delete can now be disallowed.

3. FoolProof Security is now compatible with Office 2000.

4. FoolProof Security is now compatible with Internet Explorer 5.

5. FoolProof Security is now compatible Windows 98 Second Edition.

6. User login/logout issues have been corrected.

7. Installer issues, arising from installing FoolProof in non-default locations, have been corrected.

8. Bootlock issues have been resolved. Bootlock Security can now protect multiple partitions on a drive and support systems using an extended BIOS. Bootlock and/or Keylock may now be enabled/disabled within the Basic Settings dialog.

Date: Sat, 21 Feb 1998 22:58:42 EST

From: Mark M Marko 

To: BUGTRAQ@NETSPACE.ORG

Subject: FoolProof Insecurities



Howdy,



        I have found a weakness in the password impelementation of

FoolProof.  FoolProof is a software package used to secure workstations

and LAN client machines from DoS and other lame-ass attacks by protecting

system files (autoexec.bat, config.sys, system registry) and blocking

access to specified commands and control panels.  FoolProof was written

by Smart Stuff software originally for the Macintosh but recently

released for win3.x and win95.  All my information pertains directly to

versions 3.0 and 3.3 of both the 3.x and 95 versions but should be good

for all early versions if they exist.



        Since my high school bought a sight licence I have spent some

time playing with it.  It is capable of modifying the boot sequence on

win3.x machines to block the use of hot keys and prevent users from

breaking out of autoexec.  It also modifies the behavior of command.com

so that commands can be verified by a database and anything deemed

unesseccary or potentially malicious can be blocked (fdisk, format,

dosshell?, dir, erase, del. defrag, chkdsk, defrag, undelete, debug,

etc.).  Its windows clients provide for a way to log into/out of

FoolProof for privilaged access by using a password or hot key

assignment.  The newer instalation of 95 machines have a centralized

configuration database that lives on our NetWare server.



        My first success with breaking FoolProof passwords came by using

a hex editor to scan the windows swap file for anything that might be of

interested.  In the swap file I found the password in plain text.  I was

surprised but thought that it was something that would be simply

unavoidable and unpredictable.  Later though I used a memory editor on

the machine (95 loves it when I do that) and found that FoolProof stores

a copy of the user password IN PLAIN TEXT inside its TSR's memory space.



        To find a FoolProof password, simply search through conventional

memory for the string "FOOLPROO" (I don't knowwhat they did with that

last "F") and the next 128 bytes or so should contain two plaintext

passwords followed by the hot-key assignment.  For some reason FoolProof

keeps two passwords on the machine, the present one and a 'legacy'

password (the one you used before you _thought_ it was changed).  There

exist a few memory viewers/editors but it isn't much effort to write

something.



        Getting to a point where you can execute something can be

difficult but isn't impossible.  I found that it is more difficult to do

this on the win3.x machines because FoolProof isn't compromised by the

operating system it sits on top of; basicly getting a dos prompt is up to

you (try file manager if you can).  95 is easier because it is very

simple to convince 95 that it should start up into Safe-Mode and then

creating a shortcut in the StartUp group to your editor and then

rebooting the machine (FoolProof doesn't get a chance to load in safe

mode).



        I tried to talk to someone at SmartStuff but they don't seem to

care what trouble their simple minded users might get into.  They told me

I must be wrong because they use 128 bit encryption on the disk.

Apparently they don't even know how their own software works because the

utility they provide to recover lost passwords requires some 32+

character master password that is hardwired into each installation.



JohnWayne



_____________________________________________________________________

You don't need to buy Internet access to use free Internet e-mail.

Get completely free e-mail from Juno at http://www.juno.com

Or call Juno at (800) 654-JUNO [654-5866]

Besides what has already been mentioned here, there are many other ways to circumvent Foolproof.

1. First of all, if you copy the file c:\windows\command.com (also knows as the DOS prompt) to a floppy and then rename it to whatever.hlp, you can get access to an unregulated DOS prompt session so you can further disable Foolproof. One way to put command.com to a floppy is to open c:\windows\command.com in Notepad or Wordpad and then save it under a name like whatever.hlp (make sure you save it as TEXT ONLY). Even if Foolproof lets you access c:\windows\command.com, you can't necessarily do ANY DOS command you wish because Foolproof prevents it. You may or may not already know that Windows treats files with the extension *.hlp like an executable program. Most admins/idiots will allow you to save files to a floppy disk which means when the files can be accessed via the "Save As" window. If you have the ability to save ANYTHING to a floppy, then simply double click on your whatever.hlp file (your renamed command.com file) and bring up a DOS prompt that is UNREGULATED by Foolproof. From here you can delete the Foolproof program files and/or edit the c:\autoexec.bat and c:\config.sys files so Foolproof is never loaded at bootup.

2. This is a much speedier method than the above, but it might not work as well. The advantage to this method is that it saves time and you don't need access to the floppy drive for it to work, but you MUST have access to the DOS prompt. Simply run the DOS prompt (the one under control of Foolproof) and then instead of typing straight commands you simply put the word ECHO before each command. One example is "echo Hi > c:\fool95\fooltsr.exe". That command should overwrite the main Foolproof program file. You should have access to the ECHO command so if you do, then I would recommend deleting the Foolproof program files and/or edit c:\autoexec.bat and c:\config.sys files so Foolproof is never loaded at bootup.

3. If you really want to get around Foolproof bring a boot diskette to the computer and reboot it from the boot disk and/or you can press F5/F8 when the autoexec is running (might be just a few seconds) and load Windows into safe mode. Once in safe mode, you can delete the Foolproof program files and/or edit the c:\autoexec.bat and c:\config.sys files so Foolproof is never loaded at bootup.

4. Launch a process viewing application (for example, Microsoft's pviewer) and kill FoolProof's running VXDs. Foolproof will now be disabled (although it will be loaded again on the next boot).
5. To uninstall Foolproof, move all the files from the FoolProof directory (which is '\sss' by default) to a temporary directory. Be sure to move all the files except the two .VXD files. On the next boot only the VXDs will be loaded, but Foolproof will be disabled (since the other necessary files will not be in FoolProof's directory). Now move the FoolProof files back to their original directory, and run Unfool.exe (which is usually located in the Windows directory).
6. The standard version of FoolProof does not block network file access. So if you have a network (as most schools do) then depending on the configuration of your account and the network itself, there are ways around certain aspects of FoolProof. For example, if you are using NetWare (4.11 is what this has been tested on) and NAL to manage access to network applications, there is a convenient way to get to browse drives that may be blocked, and to get to the explorer options menu (file types, view hidden files, etc..). Open your Server Apps folder (or Applications, or whatever your version of NAL calls it, it is the folder that is created on the desktop by NAL to provide access to NAL applications). Since the Server Apps folder is actually part of NAL, and therefore considered a network entity, FoolProof won't even attempt block it. Once it is open, you can view the explorer toolbar, or options menu and browse from there. That is assuming, of course, that they have been blocked on your system.
7. Rename the executable you wish to run to .SCR extension. FoolProof does not block screen savers, so the executable can now be launched, masquerading as a screen saver.
8. Run the executable from a network drive
9. Run Word, and open a shell session using the macro Shell Environ$("COMMAND").
10. If the workstation is a Novell client, it's possible to hit 'F1' from the login screen, and when the help screen comes up, select the 'file' menu and then 'open'. Now you can browse the local drives, and rename FoolProof's directory.
11. If a Virus Scanning utility is installed, right-click on a folder and select 'Scan for Viruses'. Now select the 'log' option, and change the location of the log file. Now you can browse around the local drive, again being able to rename the FoolProof folder.
12. In any application that has a standard file choosing dialog (usually under the 'file', 'open' menu), browse to the directory containing the desired application (good examples are c:\windows\explorer.exe or c:\command.com), right click the .exe and choose "Quick View". The program's icon appears in the upper left had corner of the window - click it and Voila! Your application is running.