Bypass? Dll injected and no pop up from D+

evil_religion · November 3, 2010, 5:55pm

Hello,
tested on Windows 7 x64 with Comodo 5.0.163652.1142. Sandbox off, D+ with proactive profile.

RadeonPro can inject its dll “AppProfiles.dll” into other processes and there’s no pop up from Comodo regarding this.
Even if I use the process protection features, e.g. to protect firefox.exe against injections and so on, AppProfiles.dll is loaded into the memory:

http://www.ld-host.de/uploads/thumbnails/fb821037736d72230867ad5e6d794d11.png

Either using paranoid mode doesn’t help.

If you want to test by yourself you need a Radeon graphics card in order to run RadeonPro.
http://radeonpro.info/
Can you reproduce it?
If yes, what do you think?

kinemitor · November 3, 2010, 6:15pm

when i launched it i get the D+ alert asking for unlimited access
if i clic block i dont get nothing to happen everything is normal no dll opened or nothing

check you setting you may have turned off some D+ functions or attually clicked allow for the install so all files installed are supposed to be safe

also its looks like a safe program, even if is not signed the comodo cloud scan may find it as safe

evil_religion · November 3, 2010, 6:39pm

You are seeing a pop up regarding the sandbox. The sandbox must be always disabled for such testing because it’s using Windows rights limiting and this distorts the result.
D+ should handle any code injection.

No, man…

Got those features off.

MOVEAX · November 3, 2010, 6:59pm

i can reproduce it, dll injection is not detected by comodo
Sandbox or not, it is injected.

evil_religion · November 3, 2010, 7:11pm

Thank you very much for confirming this.
So it’s a general issue.

lordraiden · November 3, 2010, 10:49pm

That is what happens when the development of the HIPS has been stoped for a long period.

evil_religion · November 3, 2010, 11:05pm

If I recall it correct Online Armor has the same problem. And I bet almost every other HIPS has too.
I’d really like to know what is different of RadeonPro’s injection technique that it seems to be fully unknown to popular HIPSes.

What is pis*ing me off more is that since Comodo 3.8 the x64 HIPS didn’t improve at all regarding usermode hooks.
I’m curious what the developer comment will be in my “Sad: No progress with the x64 HIPS of CIS” thread. :-TD

MOVEAX · November 4, 2010, 8:07am

Personnaly, online armor work with my issues
i posted 1 bug : https://forums.comodo.com/bug-reports-cis/wutil-bypass-sandbox-t64647.0.html;new#new

evil_religion · November 4, 2010, 6:03pm

OK, I tried Online Armor again and I was wrong, it passes:

http://www.ld-host.de/uploads/thumbnails/46fa4c93a2013ab4d337728ae8946540.png

So I guess the problem is only related to Comodo. Fail.
May I get a price now? If I’m not mistaken it’s the first real Comodo 5 HIPS bypass. ;D

MOVEAX · November 4, 2010, 6:23pm

cookies ;p

knk2006 · November 5, 2010, 3:02am

is the dll injection will be still possible if the program is running inside the sandbox ?

evil_religion · November 5, 2010, 6:33pm

I won’t try this now because I haven’t installed CIS anymore.
But my assumption is: Yes, because RadeonPro can work with limited rights and for the rest D+ is used (and D+ fails the injection).

knk2006 · November 5, 2010, 11:38pm

hmmm that explains one of the 2 failures in the last NIS 2011 vs CIS 2011 report from matousec

any word from comodo ? < I think they saw it and working on it < and yes it’s time for updates :-\ < hopefully quite soon

egemen · November 9, 2010, 6:39pm

Hi Guys,

We have tested and CIS actually does not fail it.

When RadeonPro is first executed, there is a COM alert. When this is allowed, CIS lets the rest of the allow alerts too. This is for the sake of end-user experience by default. For example, if you blocked, it would block the DLL injection. Can this be changed? Yes. When you see the popup, it is the default popup layout. You can simply click “More Options” and it will expand the popup to Advanced Layout. In this layout, CIS will be verbose and allow you to play.

Egemen

Syl · November 9, 2010, 11:49pm

Thanks for the update on this one.

MOVEAX could reproduce because he made a mistake too?

dax123 · November 10, 2010, 10:23am

yes, checking ‘remember my answer’ in simple mode is dangerous.

evil_religion · November 10, 2010, 3:21pm

I’ve tested again and it actually fails like hell.

I always use the advanced layout. If I test such an issue and even create a forum thread you can be sure that mentally ■■■■■■■■ human failures like the one you have described don’t apply to my findings.
Just for my ego I tested again (advanced pop up layout!!!) and there is no pop up regarding the injection.
If I recall it correct there’s not even a pop up for the COM interface.

@MOVEAX: Did you see a pop up regarding COM interface access?

egemen · November 10, 2010, 3:43pm

Yes we have reproduced the issue in Windows 7 x64 today. It is a bug in x64 systems. Will be fixed with the next release.

evil_religion · November 10, 2010, 4:02pm

Good.

If you change something especially for x64 maybe you could also take a look at this?

http://www.ld-host.de/uploads/thumbnails/1ae4889873e0f4805ca0a887f1e3c884.png

https://forums.comodo.com/news-announcements-feedback-cis/sad-no-progress-with-the-x64-hips-of-cis-t54248.0.html

I think if Comodo would score better at SSTS on x64 I’d use it.