A. THE BUG/ISSUE (Varies from issue to issue) Can you reproduce the problem & if so how reliably?:
Yes very reliably If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1:Download & install an older version of an application that is vulnerable to a buffer overflow (e.g. vlc 0.9.4 or wireshark 1.4.4) http://download.videolan.org/vlc/0.9.4/win32/vlc-0.9.4-win32.exe
2:Open a malicious file that exploits the vulnerability.(see attachments and video)
3:notice no alert about detecting shellcode injection resulting from a buffer overflow attack. One or two sentences explaining what actually happened:
Opening a specially crafted file that exploits a buffer overflow of a vulnerable application causes the application to crash and execute the injected shellcode. In this case being able to execute windows calculator. One or two sentences explaining what you expected to happen:
I expected an alert to be shown with the options to terminate or ignore the application being attacked by a buffer overflow. This alert appears in CIS version 3.14 as seen in the attached screenshot. If a software compatibility problem have you tried the advice to make programs work with CIS?:
N/A Any software except CIS/OS involved? If so - name, & exact version:
VLC media player version 0.9.4 and wireshark version 1.4.4 Any other information, eg your guess at the cause, how you tried to fix it etc:
CIS version 3.14 is the last version that detects/prevents buffer overflows/shellcode injections.
B. YOUR SETUP Exact CIS version & configuration:
CIS 8.2.0.4591 Proactive Configuration Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS=Safe Mode,Auto-sandbox=Disabled,Firewall=Safe Mode, AV=Not installed Have you made any other changes to the default config? (egs here.):
No Have you updated (without uninstall) from CIS 5, 6 or 7?:
No if so, have you tried a a a clean reinstall - if not please do?:
Yes Have you imported a config from a previous version of CIS:
No if so, have you tried a standard config - if not please do:
Yes OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 SP1 32&64 bit,UAC=Disabled,admin account,Virtual Box and non VM Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=N/A b=N/A
Unfortunately yes. I should’ve reported about this a long long time ago, but at the time I didn’t think it was a really big deal but now its an important feature to have working for today’s exploits/threats.
The best way is to find/use an application that has a buffer overflow vulnerability and either develop/write an exploit, see if a proof of concept has already been made publicly available on the exploit-db website, or see if theirs an exploit module available in the metasploit framework project.
Tried the Comodo BO Tester for x64 and the program froze with Windows reporting that the application needs to be closed in each one of the tests and all of the tests got the result of “Protected”.
I had not received any warning from CIS though. OS is Win7 x64.
Probably Windows itself passed the tests because they are too old. Also would be nice if Comodo developed a new version of this leaktest tool.
Still non-functional in version 8.2.0.4591 and I noticed that guard32/64.dll which is the buffer overflow prevention component of CIS does not properly hook the various WinAPI functions for it to handle shellcode that perform the Windows API calls.
Can any developer comment on this issue? Buffer Overflow Prevention is a CIS feature heavily advertised by Comodo, how could Comodo release new CIS versions with non-working Buffer Overflow Prevention component?
How can Comodo advertise that CIS users are protected against Buffer Overflow attacks, while the BO Protection module does not even work?
The question is, why Comodo developers allowed this bug to happen? Do they properly test the BO Protection module before releasing CIS to the public? Or only AV, FW, Sandbox and HIPS? Recently there are some bugs in Heuristic CommandLine Analysis too.
Not everyone is experiencing these bugs. Are you?
Why would you make such a statement if this does not even apply to you?
Please post bugs only when said bugs are of relevant to your system, unless you are assisting some other member with a solution to their issue.
Did not meant to offend nor criticize anyone. Can’t really tell if this does not apply to me, because here on my System CIS does not give any buffer overflow alert when tested with Leaktest. So I don’t really know if it affects me or not. I only said that based on this statement:
So based on this statement I believe that yes, this Bug is probably affecting “everyone”. I do trust Comodo and the way they develop CIS, hence why I use it for years.