Sygate Personal Firewall can be shut down without a need to supply a password - although one is required

["Eitan Caspi" <eitancaspi () yahoo com>]

Tested and affected software: 

Sygate Personal Firewall 5.0 build 1150s (The free version) installed on
Windows XP Pro with SP1


Summary:

Sygate personal firewall has an option to ask for a password before
entering various sections of the application or making some actions
(like moving between protection levels (block all / allow all  /
normal)).

It also has the option to force entering the same password for anyone
wishing to exit the Firewall.

This password is not asked for (i.e. no password prompt is showing) when
any local or remote user that have the right to stop services (e.g.
member of the local "Administrators" and "Power Users" groups) is
stopping the "Sygate Personal Firewall" service on the target machine.

The service simply stops completely and silently - and thus closes the
firewall completely and leaves the machine without FW and / or IDS
protection.

It is true that highly privileged users have the ability to fully
control any machine they are privileged on - but there may be situations
where a machine will have several privileged users but only one will be
assigned to control the machine's FW (e.g. a developer and a system
administrator).

Privileged users CAN START the procedure of stopping the service - BUT,
the application vendor CAN (as part of the overall procedures performed
when an application is being shut down) place a code section that forces
a password prompt at the beginning of the stopping process and if the
password is wrong - to stop the stopping process.


Reproduction:

WARNING: For Maximum security - disconnect from the Internet and / or
any other possibly hostile networks BEFORE performing this steps, since
this steps will cause your machine to be un-protected from any networked
hostile activity !!!


A. Preparation

1. Log on to the machine (Windows XP Pro with SP1) as a local
administrator 2. Make sure you have Sygate Personal Firewall 5.0 build
1150s installed and running 
3. Open Sygate Personal Firewall (Following SPF) main interface 
4. Choose the command "Options..." from the "Tools" menu 
5. Click the "Set Password..." button in the "General" tab 
6. Enter the new password as asked for. Click the "OK" button 
7. Check the "Ask password while existing" check box 
8. Click the "OK" button of the whole "Options" form 
9. Close SPF main interface


B. Current stoppage protection measures that are working properly:

1. If you try, as a local administrator, to kill smc.exe (SPF service
executable) from the "task manager" - it won't be killed.

If you are running XP in a "Fast User Switching" mode there may be two
(or more) instances of smc.exe: one that runs under user name of
"system" which is the one loaded by the service - this one will not be
killed.
The other one will run under the user name of a logged on user and this
one CAN be killed (i.e. the task bar icon will be gone and so is the GUI
application, but the service (as noted above) will still run and protect
the machine).

2. If you try, as a local administrator to kill smc.exe from the command
line using the win2k resource kit tool "kill.exe" - it won't be killed.

When running "kill.exe" in a command prompt (cmd.exe) the command will
return a message that the process was killed, but checking the list of
processes in the processes tab at the "task manager" will show that
"smc.exe" is still running.


C. Testing the basic "Ask password while existing" feature:

1. Try to exit SPF by doing a right mouse click on the SPF icon on the
task bar and choosing "Exit Firewall" 
2. A prompt for a password appears 
3. Enter the password and click "OK" 
4. Click "Yes" at the warning dialog box 
5. SPF will exit and its icon will be gone


D. Vulnerability Reproduction
 
1. Start SPF by choosing its icon from the "programs" start menu. The
icon should re-appear on the task bar 
2. Stop the "Sygate Personal Firewall" service (either by using the
"services" interface or with a "net stop" command from a command line).
Notice that no password prompt appears. 
3. Approve that SPF has exited by:
        a. The service is not in a "started" status (its "status" field
is      empty)
        b. The icon of SPF on the task bar is missing
        c. In the list of processes at the processes tab of the "Task
Manager" you can't find a process named "smc.exe".

(Advanced checks may include verifying that communication actions that
were forbidden when SPF was running - are currently performed without
any limitations)



Exploit Programs:
 
No exploit applications or scripts are required.


 
Workarounds:

Direct: Not any that I am aware of.

Indirect: (Good for all times...) Limit to the number of privileged
users to a minimum and grant each one only the least rights he/she
needs. Assigning users to the "users" group level and below will
eliminate the vulnerability for this users.



Vendor Notification:

Sygate support policy for the free version of SPF grants only access to
a  free public support forum (following a link to the support site).

A question regarding this issue was added to the site on the
09-October-2002 but no one have answered it until 04-December-2002.

Vendor Site: http://www.sygate.com/
Vendor Support: http://www.sygate.com/support/support_switch.htm



Credit:
Eitan Caspi
Israel
Email: eitancaspi () yahoo com