Author Topic: Kiosk Vulnerable to Simple Simple LeakTest  (Read 20524 times)

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Kiosk Vulnerable to Simple Simple LeakTest
« on: February 12, 2013, 01:19:41 PM »
Okay, to me this appears to be a vulnerability of the Kiosk through which keyloggers could potentially transmit the data they have logged. As keylogging, or screencaptures are possible in the Kiosk (at least some methods are possible) I believe this to be a significant vulnerability.

I think the easiest way to test this is to open your browser sandboxed (I tested with Comodo Dragon). Then navigate to this page and download the leaktest. Then open it inside the program and run it. At least on my system it is able to display information through the browser, meaning that there is a leak.

The interesting thing is this. When I tested this on my system with the BB set to Untrusted it couldn't start. That made sense. However, under Partially Limited to Restricted what happened was I got a popup from the Firewall asking if I wanted to allow Dragon access to the internet. I don't get that unless it was opened by the leaktest (which by the way is how I believe the leaktest sneaks the data out). The strange thing is that although I didn't change the Firewall level between testing different levels of the BB it was actually the firewall component which appeared to stop the leaktest.

Thus, I worry that perhaps the Firewall component is not yet working correctly with the fully virtualized sandbox. Can anyone confirm this?

Thanks.

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #1 on: February 12, 2013, 03:23:49 PM »
Windows 8 x64
fully virtual browser (CD)
proactive config - HIPS off

Browser leaked data....

Edit: FW set to custom with alerts set to high
« Last Edit: February 12, 2013, 03:26:06 PM by treefrogs »
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #2 on: February 12, 2013, 03:26:06 PM »
Windows 8 x64
fully virtual browser (CD)
proactive config - HIPS off

Browser leaked data....
On your computer, if you run this outside the Kiosk is the firewall component able to block the leak?

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #3 on: February 12, 2013, 03:29:50 PM »
On your computer, if you run this outside the Kiosk is the firewall component able to block the leak?

When run outside of the kiosk/full virtual browser the test is sandboxed but leak still occurs
This is with FW set to custom and alerts set to very high
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #4 on: February 12, 2013, 03:40:41 PM »
When run outside of the kiosk/full virtual browser the test is sandboxed but leak still occurs
This is with FW set to custom and alerts set to very high
Is the option for the firewall to "Do NOT show popup alerts" disabled? Also, are you running in either Partially Limited, Limited, or Restricted?

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #5 on: February 12, 2013, 03:44:49 PM »
I have popups allowed
I had been running as fully virtual
I have just ran the test in  Partially Limited and Limited
The FW popup is for explorer.exe to connect to the net the weird thing is the "leak" page loads whether I answer the popup or not.
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #6 on: February 12, 2013, 03:52:12 PM »
I have popups allowed
I had been running as fully virtual
I have just ran the test in  Partially Limited and Limited
The FW popup is for explorer.exe to connect to the net the weird thing is the "leak" page loads whether I answer the popup or not.
Testing the BB set to Fully Virtualized is the same as testing the Virtualized Browser or the Kiosk. They all share the same environment.

So do you mean that when you run as Partially Limited you at least get a Firewall alert which, if you choose block, does not allow the leaktest to connect to the internet? Is that correct?

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #7 on: February 12, 2013, 04:02:22 PM »
Quote
Testing the BB set to Fully Virtualized is the same as testing the Virtualized Browser or the Kiosk. They all share the same environment.

I understand this, I was giving confirmation

Quote
So do you mean that when you run as Partially Limited you at least get a Firewall alert which, if you choose block, does not allow the leaktest to connect to the internet? Is that correct?

No I was getting an alert but the test was connecting even if I didn't answer
However I am trying to reproduce this
Right now I get no FW alert only auto sandbox
I will reset all FW rules and try again
« Last Edit: February 12, 2013, 04:10:49 PM by treefrogs »
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #8 on: February 12, 2013, 04:10:17 PM »
I'm confused now...
I have an instance of CD open running virtual
when I run the leak test now it's auto sandboxed but the "leak" page opens in another non-virtual instance of CD
No FW alerts at all now
If someone else can try this and see if they can replicate what I saw with the FW pop ups and page loading regardless that would be helpful....
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #9 on: February 12, 2013, 06:12:57 PM »
Ok when run with BB set to full virtual the leaktest is sandboxed and the FW alerts to the connection request
The leaktest connects to the internet and loads leak results before ANY interaction with FW pop up

I can consistently reproduce this


[attachment deleted by admin]
« Last Edit: February 12, 2013, 06:17:42 PM by treefrogs »
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline M.Richter

  • Comodo's Hero
  • *****
  • Posts: 331
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #10 on: February 12, 2013, 07:25:33 PM »
Ok when run with BB set to full virtual the leaktest is sandboxed and the FW alerts to the connection request
The leaktest connects to the internet and loads leak results before ANY interaction with FW pop up

I can consistently reproduce this


for me it seems like a bug, it should not send data before u allow it.

Offline Mrarnold.

  • Comodo's Hero
  • *****
  • Posts: 699
  • R.I.P.Jay "padre" miner.Thank You For The Amiga.
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #11 on: February 12, 2013, 07:39:42 PM »
I downloaded and tried to run but the HIPS  stop it.
Comodo Internet Security Premium 6.3,302093.2976.

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #12 on: February 12, 2013, 08:40:23 PM »
I downloaded and tried to run but the HIPS  stop it.
Try it with the HIPS disabled.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #13 on: February 12, 2013, 08:57:00 PM »
I did a quick test, with just firewall and BB. Any setting other than partially limited prevented the leak program from finding the browser. I don't use Silverlight, so I haven't looked at the other areas.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Dch48

  • Comodo's Hero
  • *****
  • Posts: 2547
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #14 on: February 12, 2013, 09:04:59 PM »
I just tested it with a non-sandboxed IE9 on all the different BB settings. Here are the results.

Partially Limited---- Firewall alert for iexplore.exe
Limited----------------Same as above
Restricted-------------says "Unable to find default browser" and therefore does not run
Untrusted--------------Will not run at all
Fully Virtualized-------Runs and leaks info with no alerts of any kind

I think I may change my BB setting back to restricted. It is currently on Fully Virtualized.
« Last Edit: February 13, 2013, 01:29:34 AM by Dch48 »
Avatar FX6327X Desktop
AMD FX-6300 6 core CPU
Sapphire R9-270X GPU
Windows 8.1 64 bit, IE11 & Outlook 2007
Comodo Internet Security 7.0 full package, MBAM on Demand

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek