The Many Vulnerabilities of Verity Parental Control

by Tyler Behling

Verity Parental Control is a software package designed to track and monitor the activity of users on a Windows 7, Windows XP, Windows Vista, or Windows 8 workstation.  It's designed for use in a home setting for a parent to monitor and track what a child is using the computer for.  Verity will show what websites were accessed, what programs were used, and also will provide screen shots at a predetermined interval.  Verity also allows the ability to block websites, programs, and set daily time limits on computer, application, or website usage per Windows user login.  Verity Parental Control can also count the number of keystrokes and mouse clicks by application.  Usage reports can be viewed by the parent through a password protected web interface or automated emails.

Upon first glance, it appears that Verity Parental Control would be a great tool for a parent to ensure their child is staying safe on the Internet, and not viewing inappropriate content or accessing programs on the workstation that they shouldn't be.  But I found many areas in this software that need improvement and methods that will allow complete access to previously restricted activities and content.

Verity Parental Control Bootable CD Exploit

With a downloaded copy of almost any version of Linux, you can create an operating system that will run off of a CD/DVD disc.  You simply need to download the operating system online and burn the ISO file to a disk using a program like DeepBurner CD software.  After the disk is created, you can simply power on the workstation with the CD/DVD in the drive and you will be running your new operating system from the disc.  Since Verity is installed on the operating system on the hard drive, in this case Windows 7, none of the configured features of Verity will be enforced.

Verity Parental Control Physical Key Logger By Sound

"Researchers at U.C. Berkeley have now proved that, using a device as simple as a $10 microphone, software can learn to recognize the sound of keystrokes as they're typed, and reveal the characters with 96 percent accuracy."  Over time, this would allow a user to eventually obtain the password for the web interface, thus having full control over Verity Parental Control and its settings.

Verity Parental Control Virtual Machine Exploit

A user can install VMware Workstation 9.0 via a free 30 day trial download from the VMware website.  Once VMware is installed, a user can download an ISO file for any operating system they choose.  I chose Windows XP for this test.  I then followed the very simple process for installing a virtual Windows XP workstation in VMware.  Once installed, I was able to use the Windows XP operating system within VMware without any interference from Verity Parental Control.  None of the configured features of Verity Parental Control were enforced on this virtual Windows XP workstation.

Verity Parental Control Portable Browser Exploit

A user can download and install an Internet browser that will run off an USB drive.  For this test, I downloaded Opera, Portable Edition.  After installing it on the USB drive, I was able to use the portable browser to bypass any Internet security settings enforced by Verity Parental Control.  Blocked websites were no longer blocked when using this portable application.

Verity Parental Control Proxy Site Exploit

A very simple way to bypass Internet security settings is with the use of a proxy site.

For this test, I used www.prontoproxy.com:

"ProntoProxy.com is a proxy site for schools that runs on a high performance dedicate5d server to allow for the fastest, most responsive, and secure browsing experience available.  View sites like Facebook, YouTube, and Twitter without being inconvenienced by school filtering, this is the best proxy site for schools."

Once you navigate to this website, you simply have to input the URL of the site you wish to visit.  Even if the site is explicitly blocked by Verity Parental Control, you are still able to navigate to it with the use of this proxy site.

Verity Parental Control IP Address/IP Decimal Value Exploit

Verity Parental Control can be set to restrict access to specified URLs.

If www.google.com is a blocked website, a user can alternatively browse to 74.125.26.147, which is the IP equivalent.  They now have full functionality of the site.  This exploit works because Verity Parental Control only blocks the URL address and not the actual IP address of the site.  Alternatively, a user can browse to http://1249712787, which is the decimal value of 74.125.26.147.

Verity Parental Control Registry Exploits

Verity Parental Control's settings can be accessed directly through REGEDIT in Windows 7.

By Navigating to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NCH Software\Verity a normal user without administrator privileges can access settings such as ProhibitedURLs which is a list of URL addresses explicitly blocked by Verity Parental Control.

The user can simply delete the data from the registry entry and sites that were previously blocked are no longer blocked.  A similar registry entry called ProhibitedPrograms contains the list of applications explicitly restricted by Verity Parental Control.  To gain access to a blocked application, a user can simply delete the application name from the data value.  You can also disable chat monitoring, change screen shot interval timing, change time limits, or disable logging in the same fashion.  By performing these registry changes, you essentially have full control over the software's restriction and logging functions.

Verity Parental Control Password Recovery

When you first install Verity Parental Control, you are asked to designate an email address to use for accessing the web interface as well as receiving emailed logs.

Verity stores this email address in the registry under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NCH Software\Verity\Settings.  A normal user without administrator privileges can access the registry entry Email via REGEDIT.

A user can change this registry entry to a different email address of their choosing.  Once the email address has been changed, you can open Verity Parental Control's web interface and click on "Forgot your password?" link and input the email address that they previously entered in the registry.  Verity will then reset the password and send you an automated email containing the new password to the email that you specified.  You now have access to the web interface and full control of Verity Parental Control.

Verity Parental Control Password Registry Entry

Verity Parental Control stores the login and password information in the registry.

The login name is listed in a registry entry named Email while the password is listed as a registry value in an entry called _AdminPassword.  The password is not displayed in clear text.  Upon changing the password several times, which could be done using the password recovery method explained above, I was able to determine the value for a lower-case alphabetic character based on position in the password.

I created a table based on lowercase alphabetic characters for passwords up to 12-digits in length.  The same could be done for uppercase alphabetic characters, numerical characters, as well as special characters.  This could take a considerable amount of time to go through, change the password through the "Forgot your password?" link on the web interface, and compare the password in the automated email and the registry entry, but it is doable.  Once enough values are determined, one might also be able to crack the algorithm they are using to assign a value to a character.

Verity Parental Control Registry Password Exploit

Verity Parental Control stores the password for the web interface in the registry value for the entry called _AdminPassword.  A normal user without administrator privileges has the ability to open REGEDIT and navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NCH Software\Verity\Settings and delete the data for the registry entry.  This will then blank out the password for the web interface and a user can log in using the email address that is also listed in the registry, leaving the password field blank.  This will allow a user full access to the web interface and all of the settings of Verity Parental Control.

Verity Parental Control Logging

Verity Parental Control stores the log files and screen shots for any user in the directory C:\programdata\NCH Software\Verity\Archive\user.

In this directory, you will find the following folders: ProgramActivity, Screenshots, SecurityEvents, and WebActivity which contain all of the logged information regarding activity for a user on the workstation.  The information is stored as either a text file, Excel spreadsheet, or JPEG image.  A normal user without administrative privileges can go into these folders and remove entries from logs and delete screen shots.

Verity Parental Control Shut Down

Verity Parental Control has TASKMGR.EXE on the list of prohibited programs by default for users.

This prevents a user from shutting down Verity from within Task Manager by performing Ctrl+Alt+Del.  There are two ways a user can completely disable Verity and all of its restrictions.  From what was discussed concerning going into the registry using REGEDIT, you can change the closeprohibited value from 1 to 0 which will then allow you to have access to Task Manager and the ability to shut down Verity Parental Control entirely.  The second way is to remove TASKMGR.EXE from the list of prohibitedprograms in the registry.  You can then perform a Ctrl+Alt+Del and access Task Manager and shut down Verity completely.

Your workstation would then not be affected by any of the restrictions previously configured and no logging will take place.

Works Cited
Return to $2600 Index