RE: Sygate Personal Firewall can be shut down without a need to supply

From: Eitan Caspi (eitancaspi@yahoo.com)
Date: 12/05/02

  • Next message: Seth Knox: "Sygate Personal Firewall can be shut down without a need to suppl y"
    From: "Eitan Caspi" <eitancaspi@yahoo.com>
    To: <bugtraq@securityfocus.com>
    Date: Fri, 6 Dec 2002 00:01:30 +0200
    
    

    Hello Seth,

    Thanks for taking the time to comment about this issue.

    1. As you may noticed, I used the term "privileged users". Stopping
    service is enabled for the members of the local power users as well, so
    the problem range is wider.

    2. I will sharpen my point: You are absolutely correct about the fact
    that local admins can stop services.

    If you will see in my note, I wrote:
    " Privileged users CAN START the procedure of stopping the service -
    BUT, the application vendor CAN (as part of the overall procedures
    performed when an application is being shut down) place a code section
    that forces a password prompt at the beginning of the stopping process
    and if the password is wrong - to stop the stopping process. "

    I ask you this: Do you claim that what I wrote is technically wrong and
    it can't be done by sygate?

    If this is the claim and it is technically true (I'm not a developer,
    but a system admin) - I redraw my claims and ask for your forgiveness.

    If you are not able to claim this - then Sygate has just overlooked this
    problem and didn't close this breach.

    3. Let's be accurate here: YOU added, in your email, the words
    "non-administrator". I never claimed the "password for exit" is meant
    only for "non-administrator" users. Neither did Sygate!!!- I have seen
    the help for the product on your web site - and the password feature was
    not even mentioned by text or in the screen shot of the "general" tab!!!
    Probably the help pages was not so updated...

    A false sense of security is certainly a vulnerability.

    )The above section of the email was written before re-visiting the help
    web pages of the product. The following section was written after a
    re-visit)

    NOW, I have just re-visited the help pages and I must say I'm shocked!!!

    Just a day or two ago I visited the web help for the product and the
    section describing the "general" tab showed a screen shot of an earlier
    version of the product and the whole "password protection" section was
    missing from the picture!!! And of course there was no explanation about
    this feature!!!

    When I entered NOW to the same page
    ( http://soho.sygate.com/support/documents/spf_help/general_tab.htm ) -
    Suddenly the screen shot is showing the "password protection" feature
    and there is even an explanation to the feature.

    But that's not all - here comes the best:
    The screen shot shows that the "ask password while exiting" is dimmed
    and can't be chosen and the password description is not explaining about
    this check box at all!!!

    Beside the fact that this is not the actual current application behavior
    but only a specially crafted form - what you are doing by this is
    arrogantly covering your blame!!!

    I can't express my absolute rejection feelings towards this act!
    Security is first of all credibility - and as far as my concern:
    You just lost it!

    Eitan Caspi
    Israel

    -----Original Message-----
    From: Seth Knox [mailto:seth.knox@sygate.com]
    Sent: Thursday, December 05, 2002 8:14 PM
    To: 'bugtraq@securityfocus.com'
    Cc: 'eitancaspi@yahoo.com'
    Subject: Sygate Personal Firewall can be shut down without a need to
    supply

    If you are an Administrator of a computer, you have the absolute right
    to stop any service, including the Sygate Personal Firewall Service,
    using the services window or "net stop" command.  This is not a
    vulnerability but rather the intended implementation of the Microsoft
    operating system.  If the administrator of the computer wants to prevent
    other users from stopping the Sygate Personal Firewall Service, they
    should not grant that right to other users. As you mentioned in your
    email, Sygate Personal Firewall has the option to prevent any
    non-administrator from exiting the firewall or stopping the application
    from the task menu without a password.  In enterprise and government
    organizations, Sygate Secure Enterprise initiates a challenge/response
    enforcement protocol that ensures that Sygate Security Agent, as well as
    third-party applications, are running and up-to-date before any system
    can connect to the network.
     
    Seth Knox
    Product Manager
    Sygate Technologies