Memory Firewall has security flaws!

[Guest]

[al6]

Tjena...

Im currently developing a Swedish version of the Comodo BO Tester in order to learn more about security exploits and such. One thing tough; im not able to get warnings from Memory Firewall at all. I am explicitly creating a stack buffer overflow which overwrites the return address and then executes a small shellcode on the stack that jumps back to the code segment and returns the code 13 (as in bad luck ).

If I change the Data Execution Prevention settings to OptOut a.k.a "force everything to use DEP", the exploit is stopped by Windows. However, Memory Firewall does not seem to care at all, even if DEP is turned off.

The exploit should not be able to return the number 13, it should be closed by either DEP or Memory Firewall. Obviously my BO Tester is not recognized as a big enough threat but then what should i do to make Memory Firewall stop it?

Im posting the source code of my BO Tester here:

Code:

/* STACK BUFFER OVERFLOW EXPLOITION TEST
1. Overflow stack buffer
2. Execute code in stack buffer
3. Return code 13 */

#include <windows.h>

//return code 13
void exploited()
{
ExitProcess(13);
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
//Allocate on stack and initialize with shellcode "jmp eax"
volatile int buffer[32] = {0xe0ff};
//Overflow buffer with address of buffer
for(int i = 1; i < 64; i++)
buffer[i] = (int) buffer;
//Set eax to address of exploited
__asm
{
mov eax, exploited
}
//Return to buffer and execute "jmp eax" from the stack
}

[LeoniAquila]

Hi and welcome al6.

I'm just posting in this thread so I can easily monitor the answers here, as you're doing some interesting testing.

[al6]

This thread will need the help from the developers of Memory Firewall.

[EricJH]

Are you using Memory Firewall alongside with CIS 3.8? CIS3.8 has memory firewall integrated. May be the two of them bite?

[JoWa]

CIS 3.9 RC1 gives no BO alert. The attachment shows the result. (sårbart = vulnerable)

[al6]

The problem is simple; Memory Firewall doesn't stop me from exploiting a buffer overflow. Im only using COMODO Memory Firewall 2.0.4.20. May i speak with the creators?

Är det omöjligt att få kontakt med grabbarna eller vad?

[LeoniAquila]

The problem is simple; Memory Firewall doesn't stop me from exploiting a buffer overflow. Im only using COMODO Memory Firewall 2.0.4.20. May i speak with the creators?

Är det omöjligt att få kontakt med grabbarna eller vad?

Easy, it may take a while for them to see this.

[JoWa]

New version of al6's BO Tester, new result…

[al6]

This thread is very important, there is a serious mistake in Memory Firewall!

Memory Firewall is only detecting calls to ShellExecute, WinExec and so on, but it's not detecting calls to the standard C system() call. This is a serious security flaw since system() can do everything that ShellExecute can do. I want some developers in this thread.

Im not using Memory Firewall since i found out that it's useless, also, DEP and ASLR is a better way to protect your system since it does not need the "black list" of calls becaue everything is stopped.

[LeoniAquila]

I've tried to get attention from some developer, let's hope for a comment.

By the way, CMF has not been updated in a long time. AFAIK the stand alone CMF has been discontinued. Have you considered performing these tests on the CMF part of CIS, which is much newer?

[EricJH]

If I recall correctly CMF only protects to 3 out of 6 possible buffer overflow types. I tried the test on 3.9 RC2 and had three alerts about buffer overflow and terminated them and passed the test.

[Tags:]