Author Topic: exploitable RWX addresses : a new exploitable weakness  (Read 1044 times)

Offline merlin86

  • Newbie
  • *
  • Posts: 23
exploitable RWX addresses : a new exploitable weakness
« on: December 12, 2015, 06:34:38 PM »
There is a new exploit http://www.ghacks.net/2015/12/10/check-whether-your-antivirus-is-vulnerable-to-explotable-rwx-addresses/

Tested on a real machine with the latest Comodo version and it is vulnerable. I know that we have a good sandbox (if you put this executable in untrust it can't be executed), but, maybe, it is better to patch up the software.

What do you think, guys?

Offline prallo

  • Comodo Loves me
  • ****
  • Posts: 111
Re: exploitable RWX addresses : a new exploitable weakness
« Reply #1 on: December 12, 2015, 07:55:10 PM »
Tested it and it is not vulnerable !



That was with the newest Firefox 42.0 browser.

With Chrome it was vulnerable !
« Last Edit: December 12, 2015, 07:59:56 PM by prallo »

Offline liosant

  • Comodo's Hero
  • *****
  • Posts: 823
Re: exploitable RWX addresses : a new exploitable weakness
« Reply #2 on: December 12, 2015, 10:50:29 PM »
Security suites often fail to leak test or vulnerability as well test.
questions:
1. It would be a "directed leaktest"?
2. Why, when security suites are installed, the "leaktest" shows failures?
3. Why without any protection (except UAC), the "leaktest" failure?
4. We would be better protected only with installed windows?
5. Why in real situations of threats, windows failure?
Command prompt is opened by secure applications, but secure applications can be used by malware or unknown files to run command lines

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3504
  • Veritas Lux Mea
Re: exploitable RWX addresses : a new exploitable weakness
« Reply #3 on: December 13, 2015, 08:21:03 AM »
CIS is not vulnerable in a direct manner if that answers your question.  :)

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3504
  • Veritas Lux Mea
Re: exploitable RWX addresses : a new exploitable weakness
« Reply #4 on: December 13, 2015, 12:00:22 PM »
With Chrome it was vulnerable !
What OS are you using?

Thank you.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23687
Re: exploitable RWX addresses : a new exploitable weakness
« Reply #5 on: December 13, 2015, 01:08:31 PM »
I have looked at what it does with the HIPS. It tries to access executables in memory. Unknown programs are not allowed to do this with default settings of CIS.

Offline merlin86

  • Newbie
  • *
  • Posts: 23
Re: exploitable RWX addresses : a new exploitable weakness
« Reply #6 on: December 16, 2015, 01:46:53 PM »
I have looked at what it does with the HIPS. It tries to access executables in memory. Unknown programs are not allowed to do this with default settings of CIS.

Which is great, since Comodo can protect himself from zero-day attacks. But, if you read the original article (linked on the link i've posted) other products fixed this problem (try it with Windows Defender on Win 10 or 8.1 with no other security products installed on the system).

And no: other applications could be attacked, not only web browsers (they did web browsers because they are simplier to check)

So, will be possible for Comodo to fix this bug, or are there some problems for fixing this?

Original link: http://breakingmalware.com/vulnerabilities/sedating-watchdog-abusing-security-products-bypass-mitigations/
the checker on GitHub: https://github.com/BreakingMalware/AVulnerabilityChecker (with the source code written in Python)
« Last Edit: December 16, 2015, 01:52:51 PM by merlin86 »

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3504
  • Veritas Lux Mea
Re: exploitable RWX addresses : a new exploitable weakness
« Reply #7 on: December 16, 2015, 02:18:59 PM »
merlin86, are you considering virtualization in your scenario?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 23687
Re: exploitable RWX addresses : a new exploitable weakness
« Reply #8 on: December 17, 2015, 10:57:57 AM »
I ran it and it would not survive being virtualised. I must admit I am running a test version so not the latest stable version.

I would like you to report under what conditions there is a vulnerability. We fist need to establish if and how CIS would get bypassed. You have not provided us compelling evidence. Preliminary testing in this topic shows it's not vulnerable. Please provide us with the necessary information.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek