* Home Help Search Login Register  

Welcome, Guest. Please login or register.
December 23, 2009, 09:26:25 PM

Login with username, password and session length

344784 Posts
38065 Topics
86448 Members
Latest Member: whitehat

more news...
Search:     Advanced search | Tag Cloud
+  Welcome to the Comodo Forum
|-+  Desktop Security Products
| |-+  Comodo Internet Security - CIS
| | |-+  Bug Report - CIS
| | | |-+  Other - General - GUI etc Bugs
| | | | |-+  Comodo Firewall FAILS TERMINATION TEST		 « previous next »
Pages: [1] 2 Go Down Print
Author Topic: Comodo Firewall FAILS TERMINATION TEST  (Read 4536 times)
wj32
Comodo Loves me
****
Offline Offline

Posts: 122



WWW
« on: April 09, 2009, 09:36:48 PM »
Hello everyone.

I've just created a tool that terminates cfp.exe (and other COMODO processes). I've attached it, and it requires the .NET Framework 2.0. Simply allow it to run and deny all other requests (like debug privilege, etc.)

Here's how it does it:

1. Unhooks all Nt* functions (many are hooked by CFP's guard32.dll). This is done by going through ntdll's exports and restoring the first 5 bytes of each function. This is the most important step.
2. Looks for processes with a description containing "COMODO".
3. Opens each process with PROCESS_DUP_HANDLE access.
4. Blindly calls NtDuplicateObject with values 0 to 10000, attempting to close all of the process' handles.
5. The process will be terminated.

Please provide feedback.

wj32.

Mod edit : termination tool removed (rather be too careful, than not careful enough) and forwarded to development team
« Last Edit: April 09, 2009, 10:13:15 PM by panic » Logged
SiberLynx
Comodo's Hero
*****
Offline Offline

Posts: 698
« Reply #1 on: April 09, 2009, 09:48:15 PM »
Hi wj32,

Sure moderators will look at it and most likely will remove it.

Nobody should download that.

Even if you are right  you have to send that to Comodo developers for testing.
They will run it test it and respond.

If attachment includes executables it could be just a malware sent.
I am not accusing you of doing that, but rules are rules.
Suspicious links should not be posted, suspected malware should be submitted as passworded archive to Comodo lab, and so on.

My regards
Logged
admin; XP Pro, SP3 (32); CIS 3.13.121240.574 (firewall only; Proactive with Defense+); Vengine 2.7.0.33 ; AVG free; Mamutu Behavioural Blocker
alfa1
Comodo Member
**
Offline Offline

Posts: 42
« Reply #2 on: April 10, 2009, 03:14:06 AM »
It would be interesting to know a response in this regard by one of the developer as soon as possible..

Txs..
Logged
kronos
Product Translator
Comodo's Hero
*****
Offline Offline

Posts: 224


CIS - Comodo Italian Translator
« Reply #3 on: April 10, 2009, 03:37:49 AM »
Quote from: alfa1 on April 10, 2009, 03:14:06 AM
It would be interesting to know a response in this regard by one of the developer as soon as possible..

Txs..

+1

Thanks  Tongue
Logged
Romagnolo1973
Product Translator
Comodo Family Member
*****
Offline Offline

Posts: 94


Desculpa meu portugués eu sou italiano
« Reply #4 on: April 10, 2009, 05:31:34 AM »

We are still waiting  a feedback from development team ...........
Logged
O Amor por princípio, a Ordem por base e o Progresso por fim
commanding the celsius
Product Translator
Comodo's Hero
*****
Offline Offline

Posts: 1270


^^^^
« Reply #5 on: April 10, 2009, 05:37:54 AM »
+1 to wj32 if this in fact are killing CIS. =)
Logged
wj32
Comodo Loves me
****
Offline Offline

Posts: 122



WWW
« Reply #6 on: April 10, 2009, 05:47:41 AM »
Unfortunately (or fortunately Smiley) this only works if ZwDuplicateObject is not hooked. This is the case on my Vista machine, but not on XP. Can someone else please verify that ZwDuplicateObject is not hooked?
Logged
panic
Global Moderator
Comodo's Hero
*****
Online Online

Posts: 7681


... and I say to myself, "What a wonderful world"
« Reply #7 on: April 10, 2009, 06:14:37 AM »
Quote from: Romagnolo1973 on April 10, 2009, 05:31:34 AM
We are still waiting  a feedback from development team ...........

It was only reported 8 hours ago. Exactly how quickly were you expecting a response, given that their development people are only just waking up?

Please be reasonable everyone.

Ewen :-)
Logged
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you don't like it, don't use the forum.
kronos
Product Translator
Comodo's Hero
*****
Offline Offline

Posts: 224


CIS - Comodo Italian Translator
« Reply #8 on: April 10, 2009, 09:12:29 AM »
Quote from: panic on April 10, 2009, 06:14:37 AM
It was only reported 8 hours ago. Exactly how quickly were you expecting a response, given that their development people are only just waking up?

Please be reasonable everyone.

Ewen :-)


I'm sorry, but our time zone is different from yours (BTW I don't think ALL Comodo developers has yours) Wink

We're not asking for a patch, but only to a developer confirm of this issue...
Obviously the patch needs time...We'll wait.. Tongue


last question: Why is this topic in Help-CIS section and not in Defense+ Bugs one?

Thanks,
Regards Smiley
« Last Edit: April 10, 2009, 01:31:06 PM by kronos » Logged
SiberLynx
Comodo's Hero
*****
Offline Offline

Posts: 698
« Reply #9 on: April 10, 2009, 09:35:18 AM »
Quote from: kronos on April 10, 2009, 09:12:29 AM
... last question: Why is this topic in Help-CIS section and not in Defense+ Bugs one?

Hi kronos,

When I noticed the <>.zip attached and posted - the thread  was somewhere else and alive.
Then it was inaccessible for a while.
Moderators removed attachment and moved the topic.

It happened so fast, I cannot tell where the thread was initially  Smiley

My regards
Logged
admin; XP Pro, SP3 (32); CIS 3.13.121240.574 (firewall only; Proactive with Defense+); Vengine 2.7.0.33 ; AVG free; Mamutu Behavioural Blocker
egemen
Administrator
Comodo's Hero
*****
Offline Offline

Posts: 2148
« Reply #10 on: April 10, 2009, 12:12:25 PM »
Quote from: wj32 on April 09, 2009, 09:36:48 PM
Hello everyone.

I've just created a tool that terminates cfp.exe (and other COMODO processes). I've attached it, and it requires the .NET Framework 2.0. Simply allow it to run and deny all other requests (like debug privilege, etc.)

Here's how it does it:

1. Unhooks all Nt* functions (many are hooked by CFP's guard32.dll). This is done by going through ntdll's exports and restoring the first 5 bytes of each function. This is the most important step.
2. Looks for processes with a description containing "COMODO".
3. Opens each process with PROCESS_DUP_HANDLE access.
4. Blindly calls NtDuplicateObject with values 0 to 10000, attempting to close all of the process' handles.
5. The process will be terminated.

Please provide feedback.

wj32.

Mod edit : termination tool removed (rather be too careful, than not careful enough) and forwarded to development team

Thanks for testing CIS. But I did not see it terminating CIS in Windows XP 32. Matousec leak tests do the same while trying to terminate and bypass CIS.

If you believe otherwise, please give more details about how you tested etc...

Egemen
Logged
commanding the celsius
Product Translator
Comodo's Hero
*****
Offline Offline

Posts: 1270


^^^^
« Reply #11 on: April 10, 2009, 04:35:06 PM »
Egemen wj32 said some special case had to be in place and that it for him only worked on his Vista machine as well so maby vista is the OS you should run this bastard with:

Quote from: wj32 on April 10, 2009, 05:47:41 AM
Unfortunately (or fortunately Smiley) this only works if ZwDuplicateObject is not hooked. This is the case on my Vista machine, but not on XP. Can someone else please verify that ZwDuplicateObject is not hooked?

=) But its to technical for me.. Just saying..
Logged
wj32
Comodo Loves me
****
Offline Offline

Posts: 122



WWW
« Reply #12 on: April 16, 2009, 01:54:45 AM »
I've just retested my program with a clean Vista installation + CIS 3.8. It still fails the test.
Logged
alfa1
Comodo Member
**
Offline Offline

Posts: 42
« Reply #13 on: April 17, 2009, 02:47:17 PM »
hi, wj32!

I'm quite sure that the breach you discovered has been fixed with the last beta2 (3.9.74199.494):
infact, among other things, in the changelog is clearly showed this,

FIXED! CIS handles can be closed in Windows Vista by attacker programs


Txs a lot for helping to point out this... Thumb Up
Logged
kronos
Product Translator
Comodo's Hero
*****
Offline Offline

Posts: 224


CIS - Comodo Italian Translator
« Reply #14 on: April 17, 2009, 02:54:05 PM »
Quote from: alfa1 on April 17, 2009, 02:47:17 PM
hi, wj32!

I'm quite sure that the breach you discovered has been fixed with the last beta2 (3.9.74199.494):
infact, among other things, in the changelog is clearly showed this,

FIXED! CIS handles can be closed in Windows Vista by attacker programs


Txs a lot for helping to point out this... Thumb Up

It would be interesting if some developers answer to this item. Undecided

BTW the segnalation is 7 days old, and we're still waiting for an official response (that honestly doesn't seem to come).

Regards,
Kronos
Logged
Tags: CFP  termination  leaktest 
Pages: [1] 2 Go Up Print 
« previous next »
Jump to:  

SSL Certificate Free Virus Removal Firewall
Page created in 0.047 seconds with 18 queries.
Powered by SMF 1.1.11 | SMF © 2006, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks 		Design by 7dana.com