If you are an Administrator of a computer, you have the absolute right to stop any service, including the Sygate Personal Firewall Service, using the services window or "net stop" command. This is not a vulnerability but rather the intended implementation of the Microsoft operating system. If the administrator of the computer wants to prevent other users from stopping the Sygate Personal Firewall Service, they should not grant that right to other users. As you mentioned in your email, Sygate Personal Firewall has the option to prevent any non-administrator from exiting the firewall or stopping the application from the task menu without a password. In enterprise and government organizations, Sygate Secure Enterprise initiates a challenge/response enforcement protocol that ensures that Sygate Security Agent, as well as third-party applications, are running and up-to-date before any system can connect to the network. Seth Knox Product Manager Sygate Technologies ---------- Forwarded message ---------- Date: Wed, 4 Dec 2002 22:59:12 +0200 From: Eitan Caspi <eitancaspiat_private> To: bugtraqat_private Subject: Sygate Personal Firewall can be shut down without a need to supply a password - although one is required Tested and affected software: Sygate Personal Firewall 5.0 build 1150s (The free version) installed on Windows XP Pro with SP1 Summary: Sygate personal firewall has an option to ask for a password before entering various sections of the application or making some actions (like moving between protection levels (block all / allow all / normal)). It also has the option to force entering the same password for anyone wishing to exit the Firewall. This password is not asked for (i.e. no password prompt is showing) when any local or remote user that have the right to stop services (e.g. member of the local "Administrators" and "Power Users" groups) is stopping the "Sygate Personal Firewall" service on the target machine. The service simply stops completely and silently - and thus closes the firewall completely and leaves the machine without FW and / or IDS protection. It is true that highly privileged users have the ability to fully control any machine they are privileged on - but there may be situations where a machine will have several privileged users but only one will be assigned to control the machine's FW (e.g. a developer and a system administrator). Privileged users CAN START the procedure of stopping the service - BUT, the application vendor CAN (as part of the overall procedures performed when an application is being shut down) place a code section that forces a password prompt at the beginning of the stopping process and if the password is wrong - to stop the stopping process. Reproduction: WARNING: For Maximum security - disconnect from the Internet and / or any other possibly hostile networks BEFORE performing this steps, since this steps will cause your machine to be un-protected from any networked hostile activity !!! A. Preparation 1. Log on to the machine (Windows XP Pro with SP1) as a local administrator 2. Make sure you have Sygate Personal Firewall 5.0 build 1150s installed and running 3. Open Sygate Personal Firewall (Following SPF) main interface 4. Choose the command "Options..." from the "Tools" menu 5. Click the "Set Password..." button in the "General" tab 6. Enter the new password as asked for. Click the "OK" button 7. Check the "Ask password while existing" check box 8. Click the "OK" button of the whole "Options" form 9. Close SPF main interface B. Current stoppage protection measures that are working properly: 1. If you try, as a local administrator, to kill smc.exe (SPF service executable) from the "task manager" - it won't be killed. If you are running XP in a "Fast User Switching" mode there may be two (or more) instances of smc.exe: one that runs under user name of "system" which is the one loaded by the service - this one will not be killed. The other one will run under the user name of a logged on user and this one CAN be killed (i.e. the task bar icon will be gone and so is the GUI application, but the service (as noted above) will still run and protect the machine). 2. If you try, as a local administrator to kill smc.exe from the command line using the win2k resource kit tool "kill.exe" - it won't be killed. When running "kill.exe" in a command prompt (cmd.exe) the command will return a message that the process was killed, but checking the list of processes in the processes tab at the "task manager" will show that "smc.exe" is still running. C. Testing the basic "Ask password while existing" feature: 1. Try to exit SPF by doing a right mouse click on the SPF icon on the task bar and choosing "Exit Firewall" 2. A prompt for a password appears 3. Enter the password and click "OK" 4. Click "Yes" at the warning dialog box 5. SPF will exit and its icon will be gone D. Vulnerability Reproduction =A0 1. Start SPF by choosing its icon from the "programs" start menu. The icon should re-appear on the task bar 2. Stop the "Sygate Personal Firewall" service (either by using the "services" interface or with a "net stop" command from a command line). Notice that no password prompt appears. 3. Approve that SPF has exited by: =09a. The service is not in a "started" status (its "status" field is =09empty) =09b. The icon of SPF on the task bar is missing =09c. In the list of processes at the processes tab of the "Task Manager" you can't find a process named "smc.exe". (Advanced checks may include verifying that communication actions that were forbidden when SPF was running - are currently performed without any limitations) Exploit Programs: =A0 No exploit applications or scripts are required. =A0 Workarounds: Direct: Not any that I am aware of. Indirect: (Good for all times...) Limit to the number of privileged users to a minimum and grant each one only the least rights he/she needs. Assigning users to the "users" group level and below will eliminate the vulnerability for this users. Vendor Notification: Sygate support policy for the free version of SPF grants only access to a free public support forum (following a link to the support site). A question regarding this issue was added to the site on the 09-October-2002 but no one have answered it until 04-December-2002. Vendor Site: http://www.sygate.com/ Vendor Support: http://www.sygate.com/support/support_switch.htm Credit: Eitan Caspi Israel Email: eitancaspiat_private
This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 16:05:21 PST