Author Topic: Comodo DLL injection via weak hash function exploitation Vulnerability  (Read 6662 times)

Offline srinath

  • Newbie
  • *
  • Posts: 5
                               This originally appeared in the wilders security forums by a person called grey87y.
"Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the target system and thus bypass the protection of the component control.
Vulnerable software:

* Comodo Firewall Pro 2.4.17.183
* Comodo Firewall Pro 2.4.16.174
* Comodo Personal Firewall 2.3.6.81
* probably all older versions of Comodo Personal Firewall 2
* possibly older versions of Comodo Personal Firewall"
                                      I don't know the truth behind it but just wanted to bring it your notice.  I love and greatly admire comodo firewall and looking forward to the stable version ofCAVS. Many members at wilders security are not very grateful though. (B)
« Last Edit: February 17, 2007, 07:11:34 AM by srinath »

soyabeaner

  • Guest
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #1 on: February 17, 2007, 07:53:39 AM »
That originated from Matousec's advisory and it shows Comodo was notified on 2007-02-01.

Offline Dwarden

  • Newbie
  • *
  • Posts: 19
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #2 on: February 17, 2007, 12:18:47 PM »
IMHO use of CRC32 was performance/easy coding trick ...

now when CPF matured it's time to offer users minimum of MD5 or some SHA hashing
(or ideally both, switchable in options (who want perf use MD5 who want safe use SHA-256) ...

« Last Edit: February 17, 2007, 12:20:31 PM by Dwarden »
Ideas are like ocean w/o borders!

Offline srinath

  • Newbie
  • *
  • Posts: 5
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #3 on: February 18, 2007, 02:27:56 AM »
That originated from Matousec's advisory and it shows Comodo was notified on 2007-02-01.
Thanks for clarification.

Offline Rotty

  • Comodo's Hero
  • *****
  • Posts: 903
  • http://www.venganza.org/ - Noodly Appendage
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #4 on: February 18, 2007, 04:15:08 AM »
I gotta say that using a Cyclic redundancy check for a cryptographic check is against cryptography 101 and should really not have happened.

That being said, i am sure they will fix it.
The opinions expressed in my posts are my own. 
They do NOT necessarily represent or reflect the views of my employer.

Offline Toxteth O'Grady

  • Comodo's Hero
  • *****
  • Posts: 590
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #5 on: February 18, 2007, 04:32:17 AM »
If it is that bad, why did they use it in the first place?  ???
This calls for an offical Comodo reply\clarification

Offline Rotty

  • Comodo's Hero
  • *****
  • Posts: 903
  • http://www.venganza.org/ - Noodly Appendage
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #6 on: February 18, 2007, 06:23:56 AM »
I can't support the original decision as i know too much  (:TNG) .  That being said, allot of vendors seem to make poor programming decisions and quick-fixes and in the end, development time and the security added may not have made business sense...

Anything i say is my opinion and not the opinion of Comodo, or any organization or person i may have contact with, but let me re-state for this thread that anything said by myself is MY opinion ONLY.

An official comment would be a good idea....



The opinions expressed in my posts are my own. 
They do NOT necessarily represent or reflect the views of my employer.

Offline edeppi

  • Newbie
  • *
  • Posts: 24
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #7 on: February 19, 2007, 04:28:58 AM »
Will be fixed or not???

Comodo please reply.

Thanks

Offline soccerfan

  • Newbie
  • *
  • Posts: 7
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #8 on: February 19, 2007, 03:15:51 PM »
The silence from Comodo in regard to this problem is deafening.
Wonder why Melih and/or others are not responding!


Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 13525
    • Video Blog
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #9 on: February 19, 2007, 04:31:59 PM »
this is already fixed for v3...

Melih

Offline Bubu74

  • Comodo Loves me
  • ****
  • Posts: 177
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #10 on: February 19, 2007, 05:26:58 PM »
this is already fixed for v3...

Melih

I'm glad to hear that, and hope it will be released soon.  ;D
COMODO user since January 2007

Offline soccerfan

  • Newbie
  • *
  • Posts: 7
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #11 on: February 19, 2007, 05:57:21 PM »
Thanks for the update, Melih.
This new version 3 should be worth the wait.

Any fixes for the current 2.x in sight?

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 13525
    • Video Blog
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #12 on: February 19, 2007, 06:18:27 PM »
Thanks for the update, Melih.
This new version 3 should be worth the wait.

Any fixes for the current 2.x in sight?

the 3 is only weeks away..
this attack is in the wild and we don't expect to see it within next few weeks.
Hence we decided to concentrate all the developers on v3 rather than take their focus off it.

Melih

VaMPiRiC_CRoW

  • Guest
Re: Comodo DLL injection via weak hash function exploitation Vulnerability
« Reply #13 on: February 19, 2007, 06:26:08 PM »

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek