Author Topic: Kiosk Vulnerable to Simple Simple LeakTest  (Read 20525 times)

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #15 on: February 12, 2013, 10:37:14 PM »
Okay, the plot thickens. I reinstalled CIS (as I was getting inconsistent results but couldn't find an issue). Then only changes I made from default were that I enabled FV for the BB. I also unchecked the Firewall option to "Do NOT show popup alerts". Other than that everything was default.

My default browser was Dragon, and I couldn't seem to get the program to test any others, even if I made IE the default browser it would load in Dragon. Thus, I've only tested Dragon.

However, this time I found that everything from Partially Limited to Restricted blocked the leaktest via a Firewall alert. However, FV let it right through. Thus, my test at least shows that the only option which needs to be addressed is FV.

This vulnerability makes me now want to encourage people to do baking outside of the Kiosk, as it appears to be less vulnerable to keyloggers. Hopefully Comodo addresses this vulnerability in the next update. I've already sent a PM to egemen about this. Hopefully he responds and lets us know exactly what's going on.

Thanks.

Offline Dch48

  • Comodo's Hero
  • *****
  • Posts: 2547
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #16 on: February 13, 2013, 01:31:00 AM »
As you said there appears to be a problem with the Firewall in the virtual environment. It could be serious and they need to track it down ASAP. I do think however, that it would take a keylogger being present in the virtual space in order for it to transmit data. If the keylogger is only present outside the Kiosk, it shouldn't be able to do anything. I therefore think that the main problem exists within the fully virtualized setting for the BB which I can no longer justify using. I'm back to restricted.

Tell me if this is wrong. You're browsing in the Kiosk and a keylogger tries to install itself. The Behavior Blocker set to restricted prevents it from functioning but a BB set to fully virtualized allows it through. Is this a valid scenario?
« Last Edit: February 13, 2013, 01:37:37 AM by Dch48 »
Avatar FX6327X Desktop
AMD FX-6300 6 core CPU
Sapphire R9-270X GPU
Windows 8.1 64 bit, IE11 & Outlook 2007
Comodo Internet Security 7.0 full package, MBAM on Demand

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #17 on: February 13, 2013, 04:19:43 AM »
I have also re-installed as they only consistent result was the leak phoning home through fully virtual
if internet access is denied the test opens up a new browser page (only dragon) but no data is sent but it passes thru the FW as if its not there.
I don't have silverlight installed.
On a clean install with default settings.....
with partially imited and limited the results are same as fully virtual.
untrusted blocks it - only autosandbox no FW popups - Unable to find default browser
restricted blocks it  - only autosandbox no FW popups
I have tried to replicate the autosandbox and FW popup seen in limited but cannot, very frustrating now the test escapes the sandbox but no FW alert.
hope someone can sort this till then i figure untrusted is the way forward
« Last Edit: February 13, 2013, 04:21:39 AM by treefrogs »
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #18 on: February 13, 2013, 06:21:04 AM »
As you said there appears to be a problem with the Firewall in the virtual environment. It could be serious and they need to track it down ASAP. I do think however, that it would take a keylogger being present in the virtual space in order for it to transmit data. If the keylogger is only present outside the Kiosk, it shouldn't be able to do anything. I therefore think that the main problem exists within the fully virtualized setting for the BB which I can no longer justify using. I'm back to restricted.

Tell me if this is wrong. You're browsing in the Kiosk and a keylogger tries to install itself. The Behavior Blocker set to restricted prevents it from functioning but a BB set to fully virtualized allows it through. Is this a valid scenario?
I believe that in Fully Virtualized most keylogging methods are automatically blocked. However, not all are and screen grabbing is allowed for many methods. Is this this correct?

Anyway, yes, I believe that in order for this to be a vulnerability the keylogger itself would have to be running as fully virtualized as well. However, as long as you set the BB to FV this would be the case. Thus, I believe that it's a severe problem for people who are running with the BB set to FV, or those trying to use the Kiosk for secure browsing, such as banking.

I have also re-installed as they only consistent result was the leak phoning home through fully virtual
if internet access is denied the test opens up a new browser page (only dragon) but no data is sent but it passes thru the FW as if its not there.
I don't have silverlight installed.
On a clean install with default settings.....
with partially imited and limited the results are same as fully virtual.
untrusted blocks it - only autosandbox no FW popups - Unable to find default browser
restricted blocks it  - only autosandbox no FW popups
I have tried to replicate the autosandbox and FW popup seen in limited but cannot, very frustrating now the test escapes the sandbox but no FW alert.
hope someone can sort this till then i figure untrusted is the way forward
This inconsistency may be due to the Firewall automatically creating rules. I'm not sure, but I do also know that the results may be different depending on whether the browser was already open.

Hopefully egemen will look at this and let us know what's going on.

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #19 on: February 13, 2013, 09:48:14 AM »
Quote
Hopefully egemen will look at this and let us know what's going on.

Hopefully
thanks for bringing this to our attention  :-TU

After some deliberation I have decided to stick with the BB set to FV but have also reactivated HIPS
No matter how you look at it HIPS takes some beating...
« Last Edit: February 13, 2013, 10:09:41 AM by treefrogs »
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #20 on: February 13, 2013, 12:26:37 PM »
thanks for bringing this to our attention  :-TU
Actually, it was mouse1 who brought it to my attention. He also made a report about it here last November.

After some deliberation I have decided to stick with the BB set to FV but have also reactivated HIPS
No matter how you look at it HIPS takes some beating...
Does activating the HIPS protect against leaks if the BB is set to FV?

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #21 on: February 13, 2013, 01:04:39 PM »
Actually, it was mouse1 who brought it to my attention. He also made a report about it here last November.
Does activating the HIPS protect against leaks if the BB is set to FV?

I missed this first time round

On both my systems W7 and W8 with BB set FV the test is blocked by the HIPS
I'm now running with BB set to FV with HIPS enabled and feel pretty secure with minimal impact to functionality
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Mrarnold.

  • Comodo's Hero
  • *****
  • Posts: 699
  • R.I.P.Jay "padre" miner.Thank You For The Amiga.
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #22 on: February 13, 2013, 01:09:12 PM »
Like i mentioned earlier i downloaded the test and attempted to run it and the HIPS blocked it which is good.
Ive changed the BB setting to untrusted and feel secure enough with this and the hips turned on.
Comodo Internet Security Premium 6.3,302093.2976.

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #23 on: February 13, 2013, 01:36:53 PM »
Like i mentioned earlier i downloaded the test and attempted to run it and the HIPS blocked it which is good.
Ive changed the BB setting to untrusted and feel secure enough with this and the hips turned on.

I'm reluctant to use restricted/untrusted because previously some programs wouldn't function.
I figure with FV and HIPS set to create rules I get usability plus the granular control of HIPS so I get good usability but also control over what does what within the sandbox.
What is worrying is the fact that as this leak test showed some FW popups don't work when the BB is set to FV, I also saw this happen when the BB was set to limited, if the FW fails here where else is it failing ?
I can consistently get the FW popup with the leak test passing right through it when the BB is set to FV however I only saw this the first time I ran this test against limited, As Chiron stated probably something to do with FW rules been created
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Dch48

  • Comodo's Hero
  • *****
  • Posts: 2547
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #24 on: February 13, 2013, 06:10:28 PM »
While I'm certainly not trying to downrate the problem, I think we have to realize that a real piece of malware would not behave like this tester does. It would simply transmit the data and would not open a web page that showed what it collected. Therefore the Firewall alert for the browser would never happen no matter what your settings are. It should happen for the malware file itself but if the BB is set to restricted or untrusted,(without HIPS being enabled) it looks like you might be okay.
Avatar FX6327X Desktop
AMD FX-6300 6 core CPU
Sapphire R9-270X GPU
Windows 8.1 64 bit, IE11 & Outlook 2007
Comodo Internet Security 7.0 full package, MBAM on Demand

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #25 on: February 13, 2013, 06:15:19 PM »
While I'm certainly not trying to downrate the problem, I think we have to realize that a real piece of malware would not behave like this tester does. It would simply transmit the data and would not open a web page that showed what it collected. Therefore the Firewall alert for the browser would never happen no matter what your settings are. It should happen for the malware file itself but if the BB is set to restricted or untrusted,(without HIPS being enabled) it looks like you might be okay.
I believe what this test is supposed to illustrate is that malware can trick the firewall component into allowing it to transmit data through the browser (which could include your password, etc...). Thus, for those using the Kiosk, if a keylogger manages to install itself, and then they do banking, this could become a very serious problem for them.

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #26 on: February 13, 2013, 06:38:16 PM »
I believe what this test is supposed to illustrate is that malware can trick the firewall component into allowing it to transmit data through the browser (which could include your password, etc...). Thus, for those using the Kiosk, if a keylogger manages to install itself, and then they do banking, this could become a very serious problem for them.

agree 100%
key logging has always been an Achilles heel
It will be interesting to see how CIS deals with this using a BB approach, considering the recent  moving away from HIPS and aiming at a larger base of non geeky default settings user.
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline M.Richter

  • Comodo's Hero
  • *****
  • Posts: 331
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #27 on: February 13, 2013, 06:42:18 PM »
I believe what this test is supposed to illustrate is that malware can trick the firewall component into allowing it to transmit data through the browser (which could include your password, etc...). Thus, for those using the Kiosk, if a keylogger manages to install itself, and then they do banking, this could become a very serious problem for them.

right! it is a serious problem! u already got some infos from egemen about that?

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #28 on: February 13, 2013, 06:46:02 PM »
agree 100%
key logging has always been an Achilles heel
It will be interesting to see how CIS deals with this using a BB approach, considering the recent  moving away from HIPS and aiming at a larger base of non geeky default settings user.
In my opinion keylogging is not too large a problem as long as the firewall is able to stop it. However, the issue I have with this leaktest is that it shows that the firewall is not able to stop leakage. Therefore, if they fixed the firewall leak I wouldn't be too worried, even though some keylogging methods are successful, as at least the data can't be transmitted from my computer.

right! it is a serious problem! u already got some infos from egemen about that?
No, egemen has not responded yet.

Offline Mrarnold.

  • Comodo's Hero
  • *****
  • Posts: 699
  • R.I.P.Jay "padre" miner.Thank You For The Amiga.
Re: Kiosk Vulnerable to Simple Simple LeakTest
« Reply #29 on: February 13, 2013, 08:23:16 PM »
How legitimate is this test file.?..
Is the firewall faulty in general or just in the virtual environment.?
To be honest isnt that what generally constitutes a true virtual environment?..Nothing can get in even the security program.?
Comodo Internet Security Premium 6.3,302093.2976.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek