Author Topic: Bypassing certification? (reposting)  (Read 5546 times)

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Bypassing certification? (reposting)
« on: October 19, 2006, 10:20:56 AM »
Greetings
The following is an extract from another thread.
It seems like this thread is more appropriate for my Q although it may not sound as sophisticated as other issues in here.
<<...
...I deliberately wrote “find IF an app. belongs …” to Comodo's trusted list  not that I wanna see whole list. The list can be huge – like 1milloin + 69 entries and reading it would bore me to tears.
But Panic’s answer made me panic.
He wrote: 
Quote
1)   If WE can see the list, so can malware, and it could inset itself into the list. The list of approved apps is hidden as a security measure and will not be revealed.
Well, I found this argument a bit weak.
Displaying whole list must not mean that such serious application would keep DB of certified apps. in some kind of, say, text file or any other unencrypted form making it easy for malware to  “inset itself into”.  I personally never met any drunk programmer who can consider such insecure implementation. The sober programmer may not code this way too.
So mainly showing the whole list should not be a problem at all. The ability to perform Search  by name and give True/False result would just help.   
What is a real problem as I see it is how Comodo performs a check in its own hidden list of trusted apps.
In my evil experiment I wrote a small app. It communicates with port xxxxx. I compiled it and saved as EvilApp.exe. Actually you can use any app. you have/download etc.
I renamed it as uTorrent.exe (certified one but you can use any other Comodo approved you know) and ran it. No question asked. If you want to see Comodo’s question about “false utorrent”  and xxxxx port you know what to do with that checkbox.
It looks like hidden secret list “WE cannot see” contains just filenames(?!). You see, I intentionally did not name & compile the app. as utorrent leaving internal name different because I was testing Prevx for the same reason. Guess what? The orange Prevx’s window comes up and notifies me about EvilApp(!) That’s better isn’t it?
So basically do I need to “inset” (physically) anything into the list or just show the false ID and bypass?..  Cause, I am in , and talking to outside world, and my app. doesn’t have interface. Forgot how they call those nasties…? (:WIN)
I hope anybody (better all of you) can prove me wrong.
Cheers
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Bypassing certification? (reposting)
« Reply #1 on: October 25, 2006, 12:45:11 PM »
Well impossible. Please attach your application as a zip file and let us see. CPF compares SHA1 signatures of both the application and its PARENT application(the only firewall which performs double signature check).

Or one possible case is : you try to connect to 127.x.x.x and you have skip loopback connections option selected.

Egemen

Offline elfstone

  • Newbie
  • *
  • Posts: 17
Re: Bypassing certification? (reposting)
« Reply #2 on: December 10, 2006, 04:12:26 AM »
I replicated the 'experiment' and, what a surprise, it doesn't work. I renamed my EvilApp to utorrent.exe and actually copied it in the path where the original, trusted, utorrent.exe was. Once I try to connect the newly renamed app to the Internet, CPF refers to it as "EvilApp MFC Application", and lets me know that "The Cryptographic signature of utorrent.exe has changed since the last time it connected to the Internet ". I chose to deny it, and that was that.

As an extra step, I restored the original utorrent.exe and ran it, and CPF asked me about it (the rule was lost in the process, which is expected) telling me that it is a safe application.

I also tried to run the original utorrent.exe from a different path - CPF didn't apply the rule, and asked me about it.

I also tried to launch utorrent.exe from a different app that I had renamed as explorer.exe - CPF asked about the parent not being trusted.

Conclusion: CPF works fully as expected in the given scenario. It does use a "cryptographic signature", combined with the executable path and with the "cryptographic signature" of the parent application to "identify" a process.
« Last Edit: December 10, 2006, 04:28:03 AM by elfstone »

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11825
  • Linux is free only if your time is worthless.;-)
Re: Bypassing certification? (reposting)
« Reply #3 on: December 10, 2006, 06:20:05 AM »
I hope anybody (better all of you) can prove me wrong.
Cheers


Would one of us be enough? Or would you like to be proven wrong more definitively? ROFLMFAO.

Thanks for the test elfstone.

Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: Bypassing certification? (reposting)
« Reply #4 on: December 19, 2006, 11:26:50 PM »
Hi egemen  and everybody,
The main thing: my apology …no… like this: my APOLOGY! – it works as it suppose to.
I wouldn’t be surprised if you forgot what I’m talking about :SMLR
Sorry for such delay. Was oversees and came back to find my comp in shock after power failure. Still recovery ward here but now it’s breathing by its own.
Boring.
I got caught in my own experiment having picture similar to attached (+the lack of sleep) .

I still believe that it is not enough info given in Details window “downstairs” and user can be confused. That includes the fact that you can browse details one by one. It would be nice to have a separate list which includes info for multiple items highlighted in order to compare things easily.   
Another thing is that when I repeat a set of tests I eventually got that message about Crypto-signature which convinced me that you are right and I was wrong.
At the same time I got it only when the fake app was running and another one with a bit of change was fired from the same directory. I was expecting to get such warning more often.
Anyway. I’m glad that I was wrong.
I attached the App slightly modified just as a friendly gesture rather than...
I didn’t create a distribution because it will ask for Framework 2.0 to be downloaded and installed in case you don’t have it and I don’t want to bother you with that.
So if you have it (most likely) it will work. If not - just ignore it/me/us
Best regards and Happy New Year to all :Beer
PS
Sorry, it says: “upload folder is full" Zip file is just 265KB (?) 
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: Bypassing certification? (reposting)
« Reply #5 on: December 20, 2006, 10:43:17 AM »
[at]panic
Hi panic,
First of all - Happy New Year!
Frankly, I cannot understand why would my mistake cause such sarcastic response and be so funny that one can find himself on the floor with any F part of a body going Off?
None of us knows everything and everyone knows something that others never know.
Knowledge is a subjective thing. You cannot pass it from one person to another. The experience from the other hand can be obtained by learning, discussing, making errors and false conclusions, admitting the latter, sharing the experience you have and so on... (friendly laughs and fun incuded)
Now, as you noticed from my posts my English isn’t perfect. That’s why, probably, I don’t know what “more definitively” means. I know for sure that “more optimal” does not exist though.
Anyway, the prove was definitive, conclusive, determinative, resolute, decisive…..
Finally – (hope you are reading this in a sitting position) - Happy New Year!
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: Bypassing certification? (reposting)
« Reply #6 on: December 23, 2006, 01:28:39 AM »
Greeting
Wanna let you all know that I just a bit freaked out answering to panic.
Steam pressure control failure. “Not to panic!”- everything is fine.
I’d rather congratulate you guys with COMODO (komodo) self-fertilization.
Oh! I see – no web link needed – it is the main header here already…
Yeah! As some female say: “who needs a male?” Not all of those females are lizards
Meeen! We gonna suffer soon
Cheers
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek