D+ allows Ret2Libc attack by 64-bit apps

Comodo Internet Security - CIS News / Announcements / Feedback - CIS
1


http://img132.imageshack.us/img132/4514/comodobotesterresultssu.png

Tested on Windows 7 Ultimate x64 with Comodo Internet Security v4.1.19277.920.
In the Image Execution Control Settings menu/General tab, “Detect shellcode injections (i.e. Buffer overflow protection)” option was checked.

Downloaded the 64-bit Comodo BO Tester application from:
https://forums.comodo.com/comodo_memory_firewall_beta_corner/buffer_overflow_testing_application-t12541.0.html

Had to run as administrator or it would not run.
The Defense+ pop-up occurred when testing 32-bit app protection.
When testing 64-bit app protection, the following pop-up occurred:

http://img207.imageshack.us/img207/1422/comodobotester64bitresu.png

I assume this pop-up and protection is provided by Windows DEP.

Would someone please report the results for CIS v5.0?

These results suggest that Defense+ fails to provide Ret2Libc-type buffer overflow protection for 64-bit apps that handle content from the internet (internet browser, email client, multimedia player, etc.). Is this failure due to Windows’ 64-bit PatchGuard (KPP) preventing full security by Defense+?

2

I ran the test and got the same as you, I have the latest v5 running in default config.

3

Some (long) time ago egemen told me that they are aware of this.
Ret2Libc protection for x64 apps would produce to many FPs, he said.

It seems like this issue doesn’t have any priority at all…

4

Why has this topic been moved to this place?
It’s not a bug or help request, it’s a feedback that Comodo doesn’t pass its own leaktest…

5

Moved back on second thought after request.

I looked up egemen’s quote on this:

6
Yes, We have disabled it in Vista64 on 64 bit processes becauxe of thre significant number of false alerts. It will be reintroduced once the problem is solved.

Is the problem solved? Will it be re-introduced in 5.3?

Thanks,
Harsha.