RE: Sygate Personal Firewall can be shut down without a need to supply a password - although one is required

From: Russ (Russ.Cooperat_private)
Date: Thu Dec 05 2002 - 16:23:40 PST

Next message: securityat_private: "Security Update: [CSSA-2002-056.0] Linux: apache vulnerabilities in shared memory, DNS, and ApacheBench"

Previous message: John.Aireyat_private: "RE: [Full-Disclosure] Security Industry Under Scrutiny: Part 3"
Maybe in reply to: Eitan Caspi: "Sygate Personal Firewall can be shut down without a need to supply a password - although one is required"
Next in thread: Eitan Caspi: "RE: Sygate Personal Firewall can be shut down without a need to supply a password - although one is required"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eitan said;
"Privileged users CAN START the procedure of stopping the service - BUT, the application vendor CAN (as part of the overall procedures performed when an application is being shut down) place a code section that forces a password prompt at the beginning of the stopping process and if the password is wrong - to stop the stopping process."

This is a description of a GUI interface, and not the underlying actions/permissions/rights. IOWs, it is possible for a developer to code something into their service which, when the service detects a shutdown request, causes that service to execute some action (such as prompting for a password).

This does not mean that the service could not be "stopped". If a user has the right to stop a service, they also have the right to modify its startup behavior, including setting it to disabled or manual. Since that action has nothing to do with the running service, the service could be "stopped" by simply changing the setting and restarting the machine...at which time the service would not start.

While I think its great that people like Eitan are entering into the security realm, I think properly stating the severity of issues is as important. When the discoverer puts such comments into their advisories, it should be vetted (pre or post publication). I do this with every post to NTBugtraq, which is why the volume is so low there.

In this case, Eitan has overstated the severity of the issue, IMNSHO. Members of the Administrators and Power Users group have many ways they can manipulate the operation of a Windows environment (any version). They are "privileged users", and as such, must be endorsed to be trustworthy. If you cannot trust individuals using those accounts, then custom privileges should be assigned (leaving them out of pre-defined groups). You can stop them from shooting themselves in the foot, but you cannot stop them from intentionally modifying the operation of the system.

Any expectation that you can is the real "false sense of security".

Sygate have silently acknowledged this by not bothering to prompt for the password. This should be clearly documented, and if its not, that then is their mistake.

Cheers,
Russ - NTBugtraq Editor

Next message: securityat_private: "Security Update: [CSSA-2002-056.0] Linux: apache vulnerabilities in shared memory, DNS, and ApacheBench"
Previous message: John.Aireyat_private: "RE: [Full-Disclosure] Security Industry Under Scrutiny: Part 3"
Maybe in reply to: Eitan Caspi: "Sygate Personal Firewall can be shut down without a need to supply a password - although one is required"
Next in thread: Eitan Caspi: "RE: Sygate Personal Firewall can be shut down without a need to supply a password - although one is required"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 06 2002 - 06:51:26 PST