----------------------------------------------------------------------
IRM Security Advisory No. 014

Sygate Protection Agent 5.0 vulnerability - A  low privileged user can 
disable the security agent

Vulnerablity Type / Importance: Security Protection Bypass / High

Problem discovered: November 23rd 2005
Vendor contacted: November 23rd 2005
Advisory published: December 20th 2005
----------------------------------------------------------------------

Abstract:

The Sygate Protection Agent is one of the components within the Sygate 
Enterprise Protection software suite. The agent acts as a personal firewall 
and detects known Trojans, port scans and common attacks. When an attack is 
detected, the product can selectivley block traffic, services or
applications.
A vulnerability has been identified in the product that allows a low 
privileged user to disable the Security Protection Agent, which could place 
the system being protected at risk of attack.

Description:

There are two executable files in the installation path of the agent, 
Smc.exe and SmcGui.exe - there are no shortcuts directly created for 
the user. if a standard user double clicks on the smcgui.exe, which 
is the management interface (supposedly not accessible to standard 
users), the following error is displayed:

"Serious problem reading transaction from pipe - probable loss of 
syncronisation a 6" 

and the GUI does not execute. However upon killing the process in Task
Manager 
the Management GUI appears, the user has full access to the management 
interface and can therefore disable the security agent.


Tested Versions:

Sygate Protection Agent 5.0 (build 6144)


Tested Operating Systems:

Windows XP SP1
Windows XP Tablet PC edition


Vendor & Patch Information:

On November 23rd an email was sent to 'security-alert@sygate.com' and 
'security@sygate.com', but both of these addresses bounced. IRM have 
submitted vulnerabilities to Sygate previously so the email was then sent 
to a specific individual at the company, but again, no response was 
received. As Sygate has been recently acquired by Symantec, an email was 
then sent to security@symantec.com. However, again, no responses were
received. 


Workarounds:

IRM are not aware of any workarounds for this issue.


Credits:

Research & Advisory: Mazin Faour and Andy Davis


Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at:

http://www.irmplc.com/advisories.htm

----------------------------------------------------------------------

Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom 
SW1P 3JJ
+44 (0)207 808 6420