Meltdown: Deep Freeze Password Recovery

Introduction

This tool exploits several design flaws in Faronics DeepFreeze products and allows user gain access to DeepFreeze configuration interface on client machine. Full source code for v1.0 is provided, feel free to use it and abuse it in any way you like.

What is DeepFreeze

Faronics Deep Freeze helps eliminate workstation damage and downtime by making computer configurations indestructible. Once Faronics Deep Freeze is installed on a workstation, any changes made to the computer - regardless of whether they are accidental or malicious - are never permanent.

Source: Faronics website

Using Meltdown

Just run it! It's that simple. Meltdown will automatically detect if DeepFreeze is installed, which version it is and whether it is Standard or Enterprise edition.

Standard Edition

When Meltdown detects DeepFreeze Standard Edition, it will automatically determine and show DeepFreeze password.

Recovering passwords for Deep Freeze Standard 8.x is not supported.
The security issue Meltdown was using has been fixed by Faronics.

Enterprise Edition

When Meltdown detects a recent DeepFreeze Enterprise Edition, it will try to automatically generate the correct password for you. As simple as that:

In case you are running an old version of DeepFreeze Enterprise (older than 7.20), the process isn't fully automatic. First, Meltdown will try to locate dfc.exe which is installed in SYSTEM32 folder. Then it will extract "Customization Code Hash" - 32bit integer that uniquely identifies Deep Freeze deployment.

The Customization Code is a unique identifier that encrypts the Configuration Administrator, the Enterprise Console, the computer installation files, the One Time Password Generation System, and Deep Freeze Command Line Control.

Source: Faronics Deep Freeze Enterprise Manual

Once Customization Code Hash is recovered, Meltdown will be able to generate One Time Passwords. To do that:

Open DeepFreeze Client:
If the Deep Freeze icon is shown in the System Tray, hold down the SHIFT key and double-click the Deep Freeze icon. If the Deep Freeze is running in Stealth Mode and if the Deep Freeze icon is not displayed, the keyboard shortcut CTRL+ALT+SHIFT+F6 must be used to access the logon dialog.
Source: Faronics Deep Freeze Enterprise Manual
Write down OTP Token:
Enter OTP Token in Meltdown and press Generate. Meltdown will generate password for you:

System Requirements

I tried to make it as compatible as possible with different systems and keep it user-friendly at the same time. Unfortunately, compatibility requires some sacrifices..

Tested: Deep Freeze Standard/Enterprise 6.00..8.31 on 32bit WinXP, 32bit Win7, 64bit Win7
Partially tested : Deep Freeze Standard Server/Enterprise Server 7.10..7.60 on 32bit Win2003, 64bit Win2008
Limited testing on Windows 8, 8.1, 10

Recovering passwords for Deep Freeze Standard 8.x is not supported. The security issue Meltdown was using has been fixed by Faronics.
Recovering permanent passwords for Enterprise edition is not supported (as it would require recovering Customization Code Hash anyway). Use the provided One Time Password generator instead.
Some older versions of DeepFreeze (7.00..7.20) check process name. Meltdown executable must be named MeltdownDFC.exe to work properly on those systems.

What's New?

v1.7 - Fix confusing error message for DeepFreeze Standard 8.x. Automatic password generation for DeepFreeze Enterprise 7.20+
v1.6 - Support for Deep Freeze Enterprise 8.31
v1.5 - Support for Deep Freeze Enterprise 8.11-8.22
v1.3 - Fixed issues with 64bit OS
v1.2 - Fixed bug when Windows is not installed on drive C:\
v1.1 - Added support for DF Enterprise v5.x. Fixed Standard/Enterprise version detection for v6.x
v1.0 - Initial version.

Credits

I would like to thank previous researchers who published their findings:

And a big «Thank you!» to people who sent me bug reports. Without you, bugs would never get fixed!