Author Topic: How to kill CIS easily  (Read 25626 times)

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: How to kill CIS easily
« Reply #15 on: May 12, 2010, 06:54:31 AM »
I take it would be possible to add all java executables (eg java.exe) to the sandbox (Sandboxx > "Add Progams to the Sandbox") with Limited (no file/registry virtualization) permission and this would be enough to cripple this PoC.

Even those who prefer to use D+ alone can keep the sandbox enabled and disable automated sandboxing and installer detection (Defense+ Tasks > Sandbox >Sandbox Settings):

Untick Automatically run unrecognized programs inside the Sandbox
Untick Automatically detect the installers/updaters and run them outside the Sandbox
« Last Edit: May 12, 2010, 10:08:45 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: How to kill CIS easily
« Reply #16 on: May 12, 2010, 06:57:43 PM »
The problem is that there's always got to be a trade-off in order to keep down the volume of pop-ups.It's perfectly possible to lock down the system and mistrust everything but you can expect to be answering a huge number of prompts.For a long time on the system I'm using CIS on I've had Mamutu protecting CIS against malicious activity,in case it's self-protection fails.

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #17 on: May 13, 2010, 02:17:10 AM »
Am I missing something???? I believe this to be a big deal... You load web pages (often have JavaScript) and it could load a malicious script through Java (trusted process from comodo, high rights)..  I see it as a huge hole...      Again - Am I missing something ???
Don't worry, be happy ????

*No longer active*

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: How to kill CIS easily
« Reply #18 on: May 13, 2010, 06:54:59 AM »
Actually you're not missing anything Kyle,this is potentially a very big issue.Alas it's somewhat inevitable that if you trust any potential 'exploit vector' then problems can happen.

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #19 on: May 13, 2010, 07:44:06 AM »
with comodo's sandbox, There may also be a very efficient way to guard against these sorts of things.

IMO I think browsers,Interpreters,Email clients should be in their own special group.  Threat gates (idea stolen from GesWall) should be sandboxed with reduced privilege's, and possibly some consideration into network access should be taken into account...
Don't worry, be happy ????

*No longer active*

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: How to kill CIS easily
« Reply #20 on: May 13, 2010, 08:40:16 AM »
AFAIK Java-runtime is supposed to silently restrict java-applets embedded in webpages or request the user for pemissions.

Perhaps normal restriction might be bypassed due to some Java runtime occasional  vulnerability (chance for this increase if Java is not kept updated)
whereas not every vulnerability might be exploitable by remote (running in the web-brovser).

The java-PoC  mentioned in this topic  is requested to be run locally but not through a webpage (that load the Poc as an applet).


I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #21 on: May 13, 2010, 09:09:30 AM »
What about something like Python. i can run a malicious script through a trusted process. I'm sure there would be other things too and not only python\java.

The web based was just a possibility. Maybe Sharon could comment on that.. I don't have any Java programming experience. Only python.
« Last Edit: May 13, 2010, 09:14:57 AM by Kyle »
Don't worry, be happy ????

*No longer active*

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
Re: How to kill CIS easily
« Reply #22 on: May 13, 2010, 09:28:15 AM »
I use java only to show you the issue. I want to show you how to bypass an hips using its working.

Read this again

Just try, on vista  or seven only (I don't know why it don't work on XP, I didn't look at this), if you execute (with admin rights) java -jar kill_cis.jar it'll work. If you try kill_cis.jar, Comodo will sandbox it.

You have to find an other way to execute a code throw a safe application. You can use a security hole, an addon/plugin, or anything that will allow you to execute a malware without create any new process or application.

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: How to kill CIS easily
« Reply #23 on: May 13, 2010, 09:49:16 AM »
What about something like Python. i can run a malicious script through a trusted process. I'm sure there would be other things too and not only python\java.

Though each runtime might provide some "possibilities" pehaps not all of them stands on the same grounds.

Assuming somebody installed Python (or java or "other things") already, that the user manually trusted these applications (if not safelisted), that this user download and execute the script (somehow?) might be fine as long the scenario are not unreasonably defined.

The web based was just a possibility. Maybe Sharon could comment on that.. I don't have any Java programming experience. Only python.

Then please create a web based exploit using python (if technically possible).
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: How to kill CIS easily
« Reply #24 on: May 13, 2010, 09:51:00 AM »
You have to find an other way to execute a code throw a safe application. You can use a security hole, an addon/plugin, or anything that will allow you to execute a malware without create any new process or application.

...without triggering BO protection (at least).

if you execute (with admin rights account) java.exe -jar kill_cis.jar  might not work as well.
« Last Edit: May 13, 2010, 12:38:01 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #25 on: May 13, 2010, 09:59:23 AM »
I will not and cannot do that. Nor can I be bothred  :D I don't have enough time on my hands cause of studies. nor am I interested doing web based apps. :D

Basically what Sharon brought to the attention is a trusted program can run untrusted code through it..(Not to mention it's a trusted vendor, java!) Perhaps certain apps are given to many privledges and hsould be reviewed\isolated and restricted as a threatgate..


I'm not going to comment any further on the subject untill a dev replies.
Don't worry, be happy ????

*No longer active*

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: How to kill CIS easily
« Reply #26 on: May 13, 2010, 11:58:52 AM »
I will not and cannot do that. Nor can I be bothred  :D I don't have enough time on my hands cause of studies. nor am I interested doing web based apps. :D
Well if possible you can always post a link about somebody else test and help everybody to focus their attention to specific case without drifting in vague speculations.


Perhaps certain apps are given to many privledges and hsould be reviewed\isolated and restricted as a threatgate..
Yep nobody prevents the user from doing so. For each user can also choose to restrict the permission of the application s/he runs.


Basically what Sharon brought to the attention is a trusted program can run untrusted code through it..(Not to mention it's a trusted vendor, java!)
Whereas these trusted applications can be used to run also trusted "scripts/code" obviously such restrictions apply also to the latter (script/code).

So it's up to the user to weight the tradeoff accounting for real examples actually provided.

And put in place sandboxing even for python runtime though even scripted uninstallers will not be able to remove critical file but otherwise run fine (eg emptying %temp% folder).

I use java only to show you the issue. I want to show you how to bypass an hips using its working.
Indeed that point was outlined along with overall description of the approach used.

Nevertheless an hips own working would also provide a way to cripple such bypass without sandboxing  (eg using "all applications" block rules based on "comodo file/folder" group) whenever sandboxing appeared much easier way and selective enough for such bypass

Not sure if you actually use CIS though if that is the case I would have appreciated your considerations and suggestions also about a possible solution within the possibilities its own workings provide.
« Last Edit: May 13, 2010, 12:01:10 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #27 on: May 15, 2010, 07:44:06 PM »
bump
Don't worry, be happy ????

*No longer active*

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
Re: How to kill CIS easily
« Reply #28 on: May 16, 2010, 05:18:53 AM »
Hi all,

As I said in French forum, I think this will be my last post because I think I'll be banned to say what i'm going to say :p

I thank to this issue and I find a solution, but, for the moment, an hips like CIS and OA can't protect you.

Why ? Because it is like a firewall, you allow an application like firefox to access to Internet. Ok it's great, firefox can access to outgoing 80 and 443. But, if I want to make an addon to spam people (like some other make a bittorent client), as I can use port 25, I'm able to do it, your firewall won't protect you.

On hips, you have lot of possibilities, for example, if you allow an application to access to memory, this application can access to all applications memory.
So you have to use a safe application or an application that need this rights and make an addon/plugin for it, use a security hole, change a dll and your target will make all you want, it's easy like the previous security hole I showed you before.
I don't know if there is some real malware that works with it, but, it's gonna happen.

CIS won't protect you like Online Armor won't too. Comodo just make an application with lot of bug they didn't fix, that all, In this point I think there is less bug in OA.
You have just one guy, Melih, that think his application is the most perfect of the world, but he's wrong. The only thing that can be useful is CTM, but as you crash a computer more fast than a malware do ....

Others solutions at the moment ? Find an other way to prevent it. Maybe after hips will be more advanced but they won't be userfriendly.

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #29 on: May 16, 2010, 05:34:42 AM »
Maybe Sandboxie is something you could look into Sharon  :) it would prevent this sort of vulnerability\hole.
Don't worry, be happy ????

*No longer active*

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek