[NT] Sygate Protection Agent Privileges Escalation

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Sygate Protection Agent Privileges Escalation
------------------------------------------------------------------------


SUMMARY

" <http://www.sygate.com/products/sygate-enterprise-protection.htm> Sygate
Enterprise Protection (SEP) is the only solution that provides seamlessly
integrated Host Intrusion Prevention (HIPS) and Network Access Control
(NAC) Systems on a single agent, to protect managed computers, networks,
and data from compromise, downtime, and theft."

Improper error handling of Sygate Protection Agent allows attackers to
disable and change settings of Sygate Protection Agent.

DETAILS

Vulnerable Systems:
* Sygate Protection Agent version 5.0 (build 6144)

There are two executable files in the installation path of the agent,
Smc.exe and SmcGui.exe - there are no shortcuts directly created for the
user. if a standard user double clicks on the smcgui.exe, which is the
management interface (supposedly not accessible to standard users), the
following error is displayed:

"Serious problem reading transaction from pipe - probable loss of
syncronisation a 6"

and the GUI does not execute. However upon killing the process in Task
Manager the Management GUI appears, the user has full access to the
management interface and can therefore disable the security agent.

Disclosure Timeline:
Problem discovered: November 23rd 2005
Vendor contacted: November 23rd 2005
Advisory published: December 20th 2005


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxx> IRM.
The original article can be found at:
<http://www.irmplc.com/advisory014.htm>
http://www.irmplc.com/advisory014.htm



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.