Sygate Personal Firewall can be shut down without a need to suppl y

[Seth Knox <seth.knox () sygate com>]

If you are an Administrator of a computer, you have the absolute right to
stop any service, including the Sygate Personal Firewall Service, using the
services window or "net stop" command.  This is not a vulnerability but
rather the intended implementation of the Microsoft operating system.  If
the administrator of the computer wants to prevent other users from stopping
the Sygate Personal Firewall Service, they should not grant that right to
other users. As you mentioned in your email, Sygate Personal Firewall has
the option to prevent any non-administrator from exiting the firewall or
stopping the application from the task menu without a password.  In
enterprise and government organizations, Sygate Secure Enterprise initiates
a challenge/response enforcement protocol that ensures that Sygate Security
Agent, as well as third-party applications, are running and up-to-date
before any system can connect to the network.
 
Seth Knox
Product Manager
Sygate Technologies
 
---------- Forwarded message ----------
Date: Wed, 4 Dec 2002 22:59:12 +0200
From: Eitan Caspi <eitancaspi () yahoo com>
To: bugtraq () securityfocus com
Subject: Sygate Personal Firewall can be shut down without a need to supply
    a password - although one is required
 
Tested and affected software:
 
Sygate Personal Firewall 5.0 build 1150s (The free version) installed on
Windows XP Pro with SP1
 
 
Summary:
 
Sygate personal firewall has an option to ask for a password before entering
various sections of the application or making some actions (like moving
between protection levels (block all / allow all  / normal)).
 
It also has the option to force entering the same password for anyone
wishing to exit the Firewall.
 
This password is not asked for (i.e. no password prompt is showing) when any
local or remote user that have the right to stop services (e.g. member of
the local "Administrators" and "Power Users" groups) is stopping the "Sygate
Personal Firewall" service on the target machine.
 
The service simply stops completely and silently - and thus closes the
firewall completely and leaves the machine without FW and / or IDS
protection.
 
It is true that highly privileged users have the ability to fully control
any machine they are privileged on - but there may be situations where a
machine will have several privileged users but only one will be assigned to
control the machine's FW (e.g. a developer and a system administrator).
 
Privileged users CAN START the procedure of stopping the service - BUT, the
application vendor CAN (as part of the overall procedures performed when an
application is being shut down) place a code section that forces a password
prompt at the beginning of the stopping process and if the password is wrong
- to stop the stopping process.
 
 
Reproduction:
 
WARNING: For Maximum security - disconnect from the Internet and / or any
other possibly hostile networks BEFORE performing this steps, since this
steps will cause your machine to be un-protected from any networked hostile
activity !!!
 
 
A. Preparation
 
1. Log on to the machine (Windows XP Pro with SP1) as a local administrator
2. Make sure you have Sygate Personal Firewall 5.0 build 1150s installed and
running 3. Open Sygate Personal Firewall (Following SPF) main interface 4.
Choose the command "Options..." from the "Tools" menu 5. Click the "Set
Password..." button in the "General" tab 6. Enter the new password as asked
for. Click the "OK" button 7. Check the "Ask password while existing" check
box 8. Click the "OK" button of the whole "Options" form 9. Close SPF main
interface
 
 
B. Current stoppage protection measures that are working properly:
 
1. If you try, as a local administrator, to kill smc.exe (SPF service
executable) from the "task manager" - it won't be killed.
 
If you are running XP in a "Fast User Switching" mode there may be two (or
more) instances of smc.exe: one that runs under user name of "system" which
is the one loaded by the service - this one will not be killed. The other
one will run under the user name of a logged on user and this one CAN be
killed (i.e. the task bar icon will be gone and so is the GUI application,
but the service (as noted above) will still run and protect the machine).
 
2. If you try, as a local administrator to kill smc.exe from the command
line using the win2k resource kit tool "kill.exe" - it won't be killed.
 
When running "kill.exe" in a command prompt (cmd.exe) the command will
return a message that the process was killed, but checking the list of
processes in the processes tab at the "task manager" will show that
"smc.exe" is still running.
 
 
C. Testing the basic "Ask password while existing" feature:
 
1. Try to exit SPF by doing a right mouse click on the SPF icon on the task
bar and choosing "Exit Firewall" 2. A prompt for a password appears 3. Enter
the password and click "OK" 4. Click "Yes" at the warning dialog box 5. SPF
will exit and its icon will be gone
 
 
D. Vulnerability Reproduction
=A0
1. Start SPF by choosing its icon from the "programs" start menu. The icon
should re-appear on the task bar 2. Stop the "Sygate Personal Firewall"
service (either by using the "services" interface or with a "net stop"
command from a command line). Notice that no password prompt appears. 3.
Approve that SPF has exited by: =09a. The service is not in a "started"
status (its "status" field is =09empty) =09b. The icon of SPF on the task
bar is missing =09c. In the list of processes at the processes tab of the
"Task Manager" you can't find a process named "smc.exe".
 
(Advanced checks may include verifying that communication actions that were
forbidden when SPF was running - are currently performed without any
limitations)
 
 
 
Exploit Programs:
=A0
No exploit applications or scripts are required.
 
 
=A0
Workarounds:
 
Direct: Not any that I am aware of.
 
Indirect: (Good for all times...) Limit to the number of privileged users to
a minimum and grant each one only the least rights he/she needs. Assigning
users to the "users" group level and below will eliminate the vulnerability
for this users.
 
 
 
Vendor Notification:
 
Sygate support policy for the free version of SPF grants only access to a 
free public support forum (following a link to the support site).
 
A question regarding this issue was added to the site on the 09-October-2002
but no one have answered it until 04-December-2002.
 
Vendor Site: http://www.sygate.com/
Vendor Support: http://www.sygate.com/support/support_switch.htm
 
 
 
Credit:
Eitan Caspi
Israel
Email: eitancaspi () yahoo com