IRM 014: Sygate Protection Agent 5.0 vulnerability - A low privileged user can disable the security agent
----------------------------------------------------------------------
IRM Security Advisory No. 014
Sygate Protection Agent 5.0 vulnerability - A low privileged user can
disable the security agent
Vulnerablity Type / Importance: Security Protection Bypass / High
Problem discovered: November 23rd 2005
Vendor contacted: November 23rd 2005
Advisory published: December 20th 2005
----------------------------------------------------------------------
Abstract:
The Sygate Protection Agent is one of the components within the Sygate
Enterprise Protection software suite. The agent acts as a personal firewall
and detects known Trojans, port scans and common attacks. When an attack is
detected, the product can selectivley block traffic, services or
applications.
A vulnerability has been identified in the product that allows a low
privileged user to disable the Security Protection Agent, which could place
the system being protected at risk of attack.
Description:
There are two executable files in the installation path of the agent,
Smc.exe and SmcGui.exe - there are no shortcuts directly created for
the user. if a standard user double clicks on the smcgui.exe, which
is the management interface (supposedly not accessible to standard
users), the following error is displayed:
"Serious problem reading transaction from pipe - probable loss of
syncronisation a 6"
and the GUI does not execute. However upon killing the process in Task
Manager
the Management GUI appears, the user has full access to the management
interface and can therefore disable the security agent.
Tested Versions:
Sygate Protection Agent 5.0 (build 6144)
Tested Operating Systems:
Windows XP SP1
Windows XP Tablet PC edition
Vendor & Patch Information:
On November 23rd an email was sent to 'security-alert@xxxxxxxxxx' and
'security@xxxxxxxxxx', but both of these addresses bounced. IRM have
submitted vulnerabilities to Sygate previously so the email was then sent
to a specific individual at the company, but again, no response was
received. As Sygate has been recently acquired by Symantec, an email was
then sent to security@xxxxxxxxxxxxx However, again, no responses were
received.
Workarounds:
IRM are not aware of any workarounds for this issue.
Credits:
Research & Advisory: Mazin Faour and Andy Davis
Disclaimer:
All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.
A copy of this advisory may be found at:
http://www.irmplc.com/advisories.htm
----------------------------------------------------------------------
Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom
SW1P 3JJ
+44 (0)207 808 6420