CIS Doesn't Prevent Buffer Overflow Attacks/Detect Shellcode Injections [M1489]

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes very reliably
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1:Download & install an older version of an application that is vulnerable to a buffer overflow (e.g. vlc 0.9.4 or wireshark 1.4.4)
2:Open a malicious file that exploits the vulnerability.(see attachments and video)
3:notice no alert about detecting shellcode injection resulting from a buffer overflow attack.
One or two sentences explaining what actually happened:
Opening a specially crafted file that exploits a buffer overflow of a vulnerable application causes the application to crash and execute the injected shellcode. In this case being able to execute windows calculator.
One or two sentences explaining what you expected to happen:
I expected an alert to be shown with the options to terminate or ignore the application being attacked by a buffer overflow. This alert appears in CIS version 3.14 as seen in the attached screenshot.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Any software except CIS/OS involved? If so - name, & exact version:
VLC media player version 0.9.4 and wireshark version 1.4.4
Any other information, eg your guess at the cause, how you tried to fix it etc:
CIS version 3.14 is the last version that detects/prevents buffer overflows/shellcode injections.

Exact CIS version & configuration:
CIS Proactive Configuration
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS=Safe Mode,Auto-sandbox=Disabled,Firewall=Safe Mode, AV=Not installed
Have you made any other changes to the default config? (egs here.):
Have you updated (without uninstall) from CIS 5, 6 or 7?:
if so, have you tried a a a clean reinstall - if not please do?:
Have you imported a config from a previous version of CIS:
if so, have you tried a standard config - if not please do:
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 SP1 32&64 bit,UAC=Disabled,admin account,Virtual Box and non VM
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=N/A b=N/A

[attachment deleted by admin]

I was wondering if a developer can comment on if this will be addressed in the upcoming hotfix release?

Hi Guys,

Thank you very much for the feedback.

We will check the details with QA and I will get back to you.

Kind Regards,

Is the problem found in version 5.6, and 7?

Thanks for looking into the issue.

Unfortunately yes. I should’ve reported about this a long long time ago, but at the time I didn’t think it was a really big deal but now its an important feature to have working for today’s exploits/threats.

Does anyone know of a way to test it in real system without harming the system? like some buffer overflow leaktest, etc.

The best way is to find/use an application that has a buffer overflow vulnerability and either develop/write an exploit, see if a proof of concept has already been made publicly available on the exploit-db website, or see if theirs an exploit module available in the metasploit framework project.

or use this leaktest (unfortunately it’s old)

Tried the Comodo BO Tester for x64 and the program froze with Windows reporting that the application needs to be closed in each one of the tests and all of the tests got the result of “Protected”.

I had not received any warning from CIS though. OS is Win7 x64.

Probably Windows itself passed the tests because they are too old. Also would be nice if Comodo developed a new version of this leaktest tool.

Still non-functional in version and I noticed that guard32/64.dll which is the buffer overflow prevention component of CIS does not properly hook the various WinAPI functions for it to handle shellcode that perform the Windows API calls.

Can any developer comment on this issue? Buffer Overflow Prevention is a CIS feature heavily advertised by Comodo, how could Comodo release new CIS versions with non-working Buffer Overflow Prevention component?

How can Comodo advertise that CIS users are protected against Buffer Overflow attacks, while the BO Protection module does not even work?

Hi everybody,

Re-checking and will unerstand the timeline on this. I will have our QA s look into this asap.

For your kind information

Hey Guys,

As I ve double checked with QAs, BO protection is removed from both 5.12 and 6.0. So that I would suggest you to upgrade the version you use.

Kind Regards

As you see below, the issue is relevant for the current latest public release of CIS.

Looks like serious dysfunction, should be fixed in the next release.

This issue is affecting CIS V8. Why did you not saw this in the report?

And this is a serious problem, should be fixed ASAP because its a vulnerability.

Hi Guys,

Ok thank you for the clarifications. We will definitely look into this. I will update you about the fix date.

Kind Regards

The question is, why Comodo developers allowed this bug to happen? Do they properly test the BO Protection module before releasing CIS to the public? Or only AV, FW, Sandbox and HIPS? Recently there are some bugs in Heuristic CommandLine Analysis too.

Not everyone is experiencing these bugs. Are you?
Why would you make such a statement if this does not even apply to you?
Please post bugs only when said bugs are of relevant to your system, unless you are assisting some other member with a solution to their issue.

Did not meant to offend nor criticize anyone. Can’t really tell if this does not apply to me, because here on my System CIS does not give any buffer overflow alert when tested with Leaktest. So I don’t really know if it affects me or not. I only said that based on this statement:

So based on this statement I believe that yes, this Bug is probably affecting “everyone”. I do trust Comodo and the way they develop CIS, hence why I use it for years.