Date: Thu, 5 Dec 2002 10:44:19 -0800
From: Seth Knox <seth.knox@sygate.com.>
To: "[email protected]" <bugtraq@securityfocus.com.>
Subject: Sygate Personal Firewall can be shut down without a need to suppl y
If you are an Administrator of a computer, you have the absolute right =
to
stop any service, including the Sygate Personal Firewall Service, using =
the
services window or "net stop" command.=A0 This is not a vulnerability =
but
rather the intended implementation of the Microsoft operating =
system.=A0 If
the administrator of the computer wants to prevent other users from =
stopping
the Sygate Personal Firewall Service, they should not grant that right =
to
other users. As you mentioned in your email, Sygate Personal Firewall =
has
the option to prevent any non-administrator from exiting the firewall =
or
stopping the application from the task menu without a password.=A0 In
enterprise and government organizations, Sygate Secure Enterprise =
initiates
a challenge/response enforcement protocol that ensures that Sygate =
Security
Agent, as well as third-party applications, are running and up-to-date
before any system can connect to the network.
=A0
Seth Knox
Product Manager
Sygate Technologies
=A0
---------- Forwarded message ----------
Date: Wed, 4 Dec 2002 22:59:12 +0200
From: Eitan Caspi <eitancaspi@yahoo.com.>
To: [email protected]Subject: Sygate Personal Firewall can be shut down without a need to =
supply
=A0=A0=A0 a password - although one is required
=A0
Tested and affected software:
=A0
Sygate Personal Firewall 5.0 build 1150s (The free version) installed =
on
Windows XP Pro with SP1
=A0
=A0
Summary:
=A0
Sygate personal firewall has an option to ask for a password before =
entering
various sections of the application or making some actions (like moving
between protection levels (block all / allow all=A0 / normal)).
=A0
It also has the option to force entering the same password for anyone
wishing to exit the Firewall.
=A0
This password is not asked for (i.e. no password prompt is showing) =
when any
local or remote user that have the right to stop services (e.g. member =
of
the local "Administrators" and "Power Users" groups) is stopping the =
"Sygate
Personal Firewall" service on the target machine.
=A0
The service simply stops completely and silently - and thus closes the
firewall completely and leaves the machine without FW and / or IDS
protection.
=A0
It is true that highly privileged users have the ability to fully =
control
any machine they are privileged on - but there may be situations where =
a
machine will have several privileged users but only one will be =
assigned to
control the machine's FW (e.g. a developer and a system administrator).
=A0
Privileged users CAN START the procedure of stopping the service - BUT, =
the
application vendor CAN (as part of the overall procedures performed =
when an
application is being shut down) place a code section that forces a =
password
prompt at the beginning of the stopping process and if the password is =
wrong
- to stop the stopping process.
=A0
=A0
Reproduction:
=A0
WARNING: For Maximum security - disconnect from the Internet and / or =
any
other possibly hostile networks BEFORE performing this steps, since =
this
steps will cause your machine to be un-protected from any networked =
hostile
activity !!!
=A0
=A0
A. Preparation
=A0
1. Log on to the machine (Windows XP Pro with SP1) as a local =
administrator
2. Make sure you have Sygate Personal Firewall 5.0 build 1150s =
installed and
running 3. Open Sygate Personal Firewall (Following SPF) main interface =
4.
Choose the command "Options..." from the "Tools" menu 5. Click the "Set
Password..." button in the "General" tab 6. Enter the new password as =
asked
for. Click the "OK" button 7. Check the "Ask password while existing" =
check
box 8. Click the "OK" button of the whole "Options" form 9. Close SPF =
main
interface
=A0
=A0
B. Current stoppage protection measures that are working properly:
=A0
1. If you try, as a local administrator, to kill smc.exe (SPF service
executable) from the "task manager" - it won't be killed.
=A0
If you are running XP in a "Fast User Switching" mode there may be two =
(or
more) instances of smc.exe: one that runs under user name of "system" =
which
is the one loaded by the service - this one will not be killed. The =
other
one will run under the user name of a logged on user and this one CAN =
be
killed (i.e. the task bar icon will be gone and so is the GUI =
application,
but the service (as noted above) will still run and protect the =
machine).
=A0
2. If you try, as a local administrator to kill smc.exe from the =
command
line using the win2k resource kit tool "kill.exe" - it won't be killed.
=A0
When running "kill.exe" in a command prompt (cmd.exe) the command will
return a message that the process was killed, but checking the list of
processes in the processes tab at the "task manager" will show that
"smc.exe" is still running.
=A0
=A0
C. Testing the basic "Ask password while existing" feature:
=A0
1. Try to exit SPF by doing a right mouse click on the SPF icon on the =
task
bar and choosing "Exit Firewall" 2. A prompt for a password appears 3. =
Enter
the password and click "OK" 4. Click "Yes" at the warning dialog box 5. =
SPF
will exit and its icon will be gone
=A0
=A0
D. Vulnerability Reproduction
=3DA0
1. Start SPF by choosing its icon from the "programs" start menu. The =
icon
should re-appear on the task bar 2. Stop the "Sygate Personal Firewall"
service (either by using the "services" interface or with a "net stop"
command from a command line). Notice that no password prompt appears. =
3.
Approve that SPF has exited by: =3D09a. The service is not in a =
"started"
status (its "status" field is =3D09empty) =3D09b. The icon of SPF on =
the task
bar is missing =3D09c. In the list of processes at the processes tab of =
the
"Task Manager" you can't find a process named "smc.exe".
=A0
(Advanced checks may include verifying that communication actions that =
were
forbidden when SPF was running - are currently performed without any
limitations)
=A0
=A0
=A0
Exploit Programs:
=3DA0
No exploit applications or scripts are required.
=A0
=A0
=3DA0
Workarounds:
=A0
Direct: Not any that I am aware of.
=A0
Indirect: (Good for all times...) Limit to the number of privileged =
users to
a minimum and grant each one only the least rights he/she needs. =
Assigning
users to the "users" group level and below will eliminate the =
vulnerability
for this users.
=A0
=A0
=A0
Vendor Notification:
=A0
Sygate support policy for the free version of SPF grants only access to =
a=A0
free public support forum (following a link to the support site).
=A0
A question regarding this issue was added to the site on the =
09-October-2002
but no one have answered it until 04-December-2002.
=A0
Vendor Site: http://www.sygate.com/
Vendor Support: http://www.sygate.com/support/support_switch.htm
=A0
=A0
=A0
Credit:
Eitan Caspi
Israel
Email: [email protected]
=A0
=A0
