Author Topic: Comodo Internet Security - bypassing security  (Read 6370 times)

Offline taliban

  • Newbie
  • *
  • Posts: 1
Comodo Internet Security - bypassing security
« on: March 26, 2013, 02:57:11 AM »
Hi dear COMODO.

(btw. Forgive me for my poor English level.)

Why your program dont assign checksums md5 files or even the size of the file (info), to see if the program you want to allow access to the Internet, this program actually is, and not another?

Look - when i run firefox or any other program for the first time then Comodo IS asks me whether to allow access to the Internet. When I Allowing access to the Internet, then Comodo will remember only the path to the program (and Comodo IS dont save the exe file size info or MD5 sum so now I can replace the file firefox.exe... Now, I will call another program "firefox.exe" and Comodo will allow the foreign application (like trojans) to access the Internet, because Comodo IS dont check in rules - file size or MD5 checksum [saved, allowed application])

So look:

1) This is my any program (has the function to connect to the Internet). (This program pretends to be a Trojan)



2) This is firefox (popular web browser). Has access to the internet (rule in Comodo)



3) I pasted my program to Firefox web browser directory.



4) I changed the name of the program firefox to any other (or could be removed).
I changed the name of my new program to "firefox.exe" (Now my program imitate web browser. Comodo dont check the md5 sum (for exe files) or file size of program added to the rule)



5) I started my program.



6) I pushed the button. Comodo did not ask for anything and Comodo allowed this (foreign) program to access the Internet!



Dear programmers! Why in the (comodo) rules are there is no recorded MD5 checksums (for exe, etc), file size info added to the rules or anything else?
Now anyone can replace the program to another and comodo will allow him to access the Internet.

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Comodo Internet Security - bypassing security
« Reply #1 on: March 26, 2013, 03:46:20 AM »
At first I couldn't believe this so I tried it by setting Comodo Firewall to Custom, then I started FileZilla client and tried to connect to my FTP which gave me an alert, using that alert I ticked in to remember my answer and then clicked "Allowed Application" under Trust. Then after closing filezilla I opened it again and tried to connect which it did without any alerts, as it should.

After that I downloaded putty and made sure it was not trusted, since the firewall is in Custom mode it will not automatically allow putty.exe just because it's found safe by Comodo.
I tried to telnet my router and CIS gave me a firewall alert about it to which I clicked allow and made sure the "remember" option was NOT ticked, I did this a few times and in different directories.

Lastly I renamed filezilla.exe to filezilla_backup.exe, after that I renamed putty.exe to filezilla.exe and copied it into the path of the previous fiezilla.exe which is now called filezilla_backup.exe.
I tried to run filezilla.exe (putty) and then telnet my router, it worked fine... no alerts whatsoever, even though I had not manually allowed that file, I had allowed another file with the same name.

This is something that needs fixing in my opinion.
I support privacy and freedom online - eff.org

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: Comodo Internet Security - bypassing security
« Reply #3 on: March 27, 2013, 06:25:36 PM »
Comodo does not allow unknown programs to change protected files like .exe files. However it does allow the user to make such changes himself and an unknown program allowed by the user.

In this case you changed the Firefox executable and have given the " trojan" web access. Those are two cases of user actions.

In this there is no security problem as the user allowing these actions. If you find an unknown program that can change a protected file without user allowing it please report it. That would be a breach and Comodo always wants to know about them.

CIS is the nanny of program behaviour not of user behaviour. The user can do anything he wants including dangerous and destructive actions. I am happy CIS allows me to do anything like accessing system folders etc.

CIS does not check the hash of a file each time it loads an executable in memory. It takes too long and is therefo a performance issue. It will check the hash of file the first time it gets loaded. If it is a safe file it will be put on the Trusted Files list. This list can be parsed quickly without a negative influence on the performance.

Instead of hash checks CIS trust on its own protection of protected files.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Comodo Internet Security - bypassing security
« Reply #4 on: March 27, 2013, 06:51:43 PM »
Comodo does not allow unknown programs to change protected files like .exe files. However it does allow the user to make such changes himself and an unknown program allowed by the user.

In this case you changed the Firefox executable and have given the " trojan" web access. Those are two cases of user actions.

In this there is no security problem as the user allowing these actions. If you find an unknown program that can change a protected file without user allowing it please report it. That would be a breach and Comodo always wants to know about them.

CIS is the nanny of program behaviour not of user behaviour. The user can do anything he wants including dangerous and destructive actions. I am happy CIS allows me to do anything like accessing system folders etc.

CIS does not check the hash of a file each time it loads an executable in memory. It takes too long and is therefo a performance issue. It will check the hash of file the first time it gets loaded. If it is a safe file it will be put on the Trusted Files list. This list can be parsed quickly without a negative influence on the performance.

Instead of hash checks CIS trust on its own protection of protected files.

And if the TVL is disabled and trusted files are deleted, what happens then if a file changes?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: Comodo Internet Security - bypassing security
« Reply #5 on: March 27, 2013, 07:42:51 PM »
And if the TVL is disabled and trusted files are deleted, what happens then if a file changes?
Then the executable would be unknown. An unknown executable is not allowed to change a protected file.

If it can change a protected file without the user allowing the program to change a protected file then CIS is bypassed and needs to be reported.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Comodo Internet Security - bypassing security
« Reply #6 on: March 27, 2013, 08:08:54 PM »
Then the executable would be unknown. An unknown executable is not allowed to change a protected file.

If it can change a protected file without the user allowing the program to change a protected file then CIS is bypassed and needs to be reported.

Unfortunately, we've been down this road in the past - links above.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Comodo Internet Security - bypassing security
« Reply #7 on: March 28, 2013, 05:39:45 AM »
I understand now, but what about trusted vendors that go rogue? By changing for example the Firefox exe the malware would be assumed safe, wouldn't it?
I support privacy and freedom online - eff.org

Offline liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1634
  • GOD cure me epilepsy and atrophy - Sou brasileiro!
Re: Comodo Internet Security - bypassing security
« Reply #8 on: March 28, 2013, 03:56:10 PM »
this actually happens, if for example the comodo Icedragon C: \ Program Files (x86) \ Comodo \ IceDragon \ icedragon. exe
have the security policy and firewall is substituted.
I used leaktest of GRC and changed the name to Icedragon.
http://www.youtube.com/watch?v=Jy5oxUG3_So

[attachment deleted by admin]
« Last Edit: March 29, 2013, 12:02:23 PM by liosant »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek