Hello everyone. I have found the simplest way to make an internet browser to transmit data outbound. I have used Firefox for the test but probably is gonna work on other browsers too. I have written an app in VB.NET 2005 which:
Sends the keystrokes CTRL+V to paste the command to the Run dialog and then the ENTER key to execute the command.
As a result Firefox opens and “myfirewallleak” is transmitted to the COMODO website. I hope u don’t mind that i used the comodo link…
Of course for this to work, Firefox or any other browser that support launch with command line parameters must be set to allow with the parent explorer.exe in comodo firewall application monitor rules which this is done on the first execution of our browser when CFP is installed. Application Behavior Analysis does NOT detect the keystrokes.
Fix this pls on COMODO V3.
Sorry to say, but your application doesn’t prove that the firewall leaks. It merely proves that the firewall allows traffic from applications that YOU HAVE ALREADY GRANTED INTERNET ACCESS TO. ABA would not look at command line parameters of every app launched, that’s not it’s intended function.
To test whether the firewall leaks, go to your application monitor and delete all rules relating to firefox. Now, re-run your application, but when the firewall asks for permission for firefox to access the internet, click BLOCK.
Actually nikola has shown a very simple way that true malware can use to transmit data through any previously trusted internet application. Shouldn’t CPF show that demo.exe is the originator of the data?
It’s an interesting technique, using application A (his custom app) to send data to application B (explorer.exe) to invoke application C (firefox) and use application B to pass a parameter to application C.
So, in a nutshell, CFP is failing to detect the parent of a parent of an application.
Hmmmmm? How many levels is enough? This is a tough one. How far back do you track parentage? How much additional overhead would this impose.
Maybe this should be lodged as a support ticket for the developers to have a look at(http://support.comodo.com). They’re currently buried with CFP V3 development and release work at the moment, but it still should be run past the support centre to see if it is deemed to be sufficiently urgent to drag a dev. guy away from his current priorities.