Comodo firewall + Sandboxie = serious problem

DarthTrader · February 11, 2009, 11:05pm

Hello,

I have a malware sample (keylogger) which may be able to escape a Sandboxie session if the user is also running CPF. Please see this thread:

http://sandboxie.com/phpbb/viewtopic.php?t=4948&postdays=0&postorder=asc&start=0

If the lab would like the sample, pls let me know, because it is no longer available publicly.

DarthTrader

Copy_right · February 12, 2009, 12:56am

bump

I read the thread @ sandboxie forum - this is really interesting.

The theory is that Comodo’s Defense+ is actually giving debug features to google.exe, even though it doesn’t have any? It must think that google.exe has these privileges but instead of enabeling privileges it is giving it privileges?

btw, what are the “debug privileges”? is it the same thing as “device driver installation” in the Defense+ “process access rights”? Doesn’t CIS and CPF use the same terminology?

What version of CPF are you using?

[attachment deleted by admin]

DarthTrader · February 12, 2009, 1:17am

Hello Copy,

Debug privilege is described here (not that I understand it all):

Limited users should not have debug privilege, but I am running as admin. Guess I will have to re-think that!

I have CPF v3.5.57173.439, firewall only, with Avira Premium AV + Windows Defender. Sometimes WD will detect (and stop) the malware activity as follows:
http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan%3AWin32%2FAgentBypass.gen!G&threatid=112717

Most of the time, it slips past WD - another mystery!

HTH
DarthTrader

dead_ring0r · February 12, 2009, 6:39am

I can confirm this behavior. I have a slightly off-stock config of Comodo Firewall: I have added “LocalSecurityAuthority.Debug” under “Pseudo-COM interfaces - Privileges” in “My Protected COM Interfaces”. The given malware sample, when running in Sandbox, triggers, among others, a Comodo Defense+ Prompt: “This program is attempting to gain debug privilege”. If debug privilege is allowed, malware file is written outside of sandbox. If it is denied, sandbox functions properly. If Comodo is uninstalled, the sandbox functions properly.

I switched from Zone Alarm (yearly paid) firewall back at Comodo 2.8* (free). I didn’t know a software firewall could be so feature packed.

EDIT: The debug privilege is essentially a privilege that allows a given process to execute a .dll in another process’s address space, or to attach one process to another.

Thank you,
dead_ring0r

Copy_right · February 13, 2009, 1:08am

Smart app… umm, I mean: “gee, what an evil program.”

Because I remember having seen CPF asking me if I’d like to allow a program obtaining such privileges waaaaaay back, sort of. But I can’t recall it ever happend under CIS. So I’m still wondering, when you allow debug superpowers, what features (process access rights) in defense+ do you really allow?

It sounds like it’s more to it than just letting blahablaha.exe inject some code into giberish.exe

Hmm, that came out wrong. What I mean is… The “Interprocess Memory Access” setting can be allowed (or blocked), for a given program, to access a whole group of applications - yes. But I thought it was something the user had to define (example: C:\windows\system32*) either through “predefined access rules” window, or by defining them right in “Process Access Control”.

But when an application is asking “please, can I inject some code into that specific application’s memory, because It’s been so long since I ever injected anyone with anything, please… pleasepleaseplease…”, it doesn’t sound like “debug privileges” to me; (^{because it can only concern one application at a time}). It would seem like one applications isn’t going to be enough to debug anything.

I don’t know anything about programming, even though I pretend (haxxors 1337 i pwn j00r n00b) but I imagine bugs often are results of several applications inability to get along (be compatible). On the other hand, maybe it has something to do with a main application not being able to get what it expected out of another application? So it injects “hallelujah” into “whatnot?” and it can go about it’s business? Just like people do sometimes? (no! I am NOT refering to sex)

no? - yes? nevermind - it isn’t that important actually, it’s just that… I’ll die outta curiousity if nobody ever tells me what I wanna know.

aigle · February 13, 2009, 4:14am

Hi, can you PM me the link.

Thanks

DarthTrader · February 13, 2009, 2:50pm

Hi aigle, I have just PM’ed a rapidshare link to you. Good luck!

DarthTrader

aigle · February 15, 2009, 4:29pm

I tried it with

1- CIS 3.5.57173.439 and SBIE 3.34

2- CIS 3.5.57173.439 and GW

3- CIS alone

No problems. No leaks on my system.

DarthTrader · February 15, 2009, 7:04pm

Hi aigle,

Thanks for all the testing. I hope it wasn’t too much trouble. I uninstalled CPF v3.5 in preparation for installing v3.8. The darn thing escaped SBIE with no Comodo products installed, so apparently it has nothing to do with Comodo.

The only way it won’t escape SBIE on my system it is to run it from a LUA. I guess the mods can mark this one SOLVED. v3.8 runs great - kudos to the Comodo team!

DarthTrader