Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Sygate Personal Firewall can be shut down without a need to supply a password - although one is required

From: "Russ" <Russ.Cooper () rc on ca>
Date: Thu, 5 Dec 2002 19:23:40 -0500
Eitan said;
"Privileged users CAN START the procedure of stopping the service - BUT, the application vendor CAN (as part of the 
overall procedures performed when an application is being shut down) place a code section that forces a password prompt 
at the beginning of the stopping process and if the password is wrong - to stop the stopping process."

This is a description of a GUI interface, and not the underlying actions/permissions/rights. IOWs, it is possible for a 
developer to code something into their service which, when the service detects a shutdown request, causes that service 
to execute some action (such as prompting for a password).

This does not mean that the service could not be "stopped". If a user has the right to stop a service, they also have 
the right to modify its startup behavior, including setting it to disabled or manual. Since that action has nothing to 
do with the running service, the service could be "stopped" by simply changing the setting and restarting the 
machine...at which time the service would not start.

While I think its great that people like Eitan are entering into the security realm, I think properly stating the 
severity of issues is as important. When the discoverer puts such comments into their advisories, it should be vetted 
(pre or post publication). I do this with every post to NTBugtraq, which is why the volume is so low there.

In this case, Eitan has overstated the severity of the issue, IMNSHO. Members of the Administrators and Power Users 
group have many ways they can manipulate the operation of a Windows environment (any version). They are "privileged 
users", and as such, must be endorsed to be trustworthy. If you cannot trust individuals using those accounts, then 
custom privileges should be assigned (leaving them out of pre-defined groups). You can stop them from shooting 
themselves in the foot, but you cannot stop them from intentionally modifying the operation of the system.

Any expectation that you can is the real "false sense of security".

Sygate have silently acknowledged this by not bothering to prompt for the password. This should be clearly documented, 
and if its not, that then is their mistake.

Cheers,
Russ - NTBugtraq Editor
Previous By Date Next
Previous By Thread Next

Current thread: