exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jun 18, 2004
Authored by Tan Chew Keong | Site security.org.sg

Sygate Personal Firewall Pro version 5.x is susceptible to a denial of service attack by being crashed via unprivileged applications sending specially crafted messages to the ListView control in the GUI.

tags | advisory, denial of service
SHA-256 | c4b523beea4596ecf960bcae931886280975333d872f47098e91d7d4f0b32445


Change Mirror Download
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>SIG^2 G-TEC - Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs</title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs">
<meta name="keywords" content="Sygate, Personal, Firewall, Disabled">
<link href="spfp_files/main.css" rel="stylesheet" type="text/css">
<script language="JavaScript" type="text/JavaScript">
function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;

function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;

function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}

<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" onload="MM_preloadImages('../img/nv_login2.gif','../img/nv_g-tec2.gif','../img/nv_cc2.gif','../img/nv_mirror2.gif','../img/nv_contact2.gif','../img/nv_sponsors2.gif','../img/nv_news2.gif','../img/nv_abtus2.gif','../img/nv_obj2.gif','../img/nv_pastevents2.gif','../img/nv_forums2.gif','../img/nv_links2.gif')">
<table border=0>
<span class="headertext">SIG^2 Vulnerability Research Advisory</span>
<span class="headertext"><h1>Sygate Personal Firewall PRO's Driver May be Disabled Locally by Malicious Programs</h1></span>
by Tan Chew Keong<br>
Release Date: 13 June 2004
<span class="headertext">Summary</span><br>
<a href="http://soho.sygate.com/products/spf_pro.htm">Sygate Personal Firewall PRO</a>
(SPFP) has redefined the personal firewall market with
a multi-layered shield of network, content, application, and operating system security.
Sygate Personal Firewall Pro protects your system from intrusions designed to exploit
vulnerabilities in Internet and Intranet communication. It is the ultimate desktop
security solution trusted by professionals and relied upon by millions of users.
SPFP has a fail-close feature that can be enabled to block all traffic when the
firewall service is not enabled. Hence, if a malicious program kills the firewall
service (smc.exe), all traffic will be blocked. However, a flaw in SPFP's driver
implementation may be exploited locally to disable this protection.
</p><p> <br>
<span class="headertext">Tested System</span><br>
Sygate Personal Firewall PRO 5.5 Build 2525 on Win2k SP4
</p><p> <br>
<span class="headertext">Details</span><br>
SPFP has a fail-close feature that can be enabled to block all traffic when the
firewall service is not enabled. Hence, if a malicious program kills the firewall
service (smc.exe), all traffic will be blocked. This feature may be enabled from
SPFP's GUI menu with the following sequence of commands.
(Tools->options->Security Tab->"Block all traffic while the service is not loaded").
SPFP is implemented as a user-space service (smc.exe), and as a kernel-space NDIS
intermediate driver (teefer.sys). The driver creates a device named
\\device\Teefer. The user-space service (smc.exe, tfman.dll) communicates with the
kernel-space driver through this device using specific Device I/O control codes.
The driver does not validate the source of the control codes, and hence, malicious
programs may send control codes to the driver to disable it's fail-close protection.
SPFP tries to prevent this by allowing only one user-space program to open it's
driver i.e. (Exclusive = TRUE when calling IoCreateDevice). Hence, as long as
smc.exe is running, other programs cannot open this driver. However, this may be
overcomed in the following two ways.
<li>If the malicious program runs with Administrator privilege, it can simply stop smc.exe using<p>
<li>net stop smcservice</li>
<li>or by using Service Control Manager APIs.</li>

</p><li>If the malicious program runs with non-administrator privilege, smc.exe may be crashed by
exploiting the List-View Control in SPFP's GUI.<p>


After stopping smc.exe, the fail-close protection may be disabled using the following code.

printf("Open failed\n");
printf("Device opened.\n");

char buffer[8];
DWORD *ptr = (DWORD *)buffer;
DWORD *ptr2 = (DWORD *)(buffer + 4);
DWORD ret;

*ptr = 0;
*ptr2 = 0;

if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8, &ret, 0))


</p><p> </p><p>
<span class="headertext">Vendor Response</span><br>
Vulnerability will be fixed in upcoming release with additional product engine
enhancements and performance tweaks.
</p><p> <br>
<span class="headertext">Disclosure Timeline</span><br>
20 May 04 - Vulnerability Discovered<br>
30 May 04 - Initial Vendor Notification (CASE ID:Pro-29-May-2004-20:45:17)<br>
08 Jun 04 - Initial Vendor Response<br>
13 Jun 04 - Public Release<br>
</p><p> </p>
<span class="headertext">Contacts</span><br>
For further questions and enquries, email them to the following.
Overall-in-charge: <a href="mailto:%63%68%65%77%6b%65%6f%6e%67%40%73%65%63%75%72%69%74%79%2E%6F%72%67%2E%73%67">Tan Chew Keong</a>


<span class="footnote">Updated: 13/6/2004</span><br>
<a href="mailto:%77%65%62%6D%61%73%74%65%72%40%73%65%63%75%72%69%74%79%2E%6F%72%67%2E%73%67" class="smallblackText">webmaster@security.org.sg</a></p>
<td width="30"><img src="spfp_files/spacer.gif" width="30" height="1"></td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By