Exploit uses trusted browser to leak data to net when FV [M59]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    Yes, I can reproduce this every time.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    Change the configuration to Proactive. This should make sure the Firewall is at maximum settings.

Then, downloaded the leaktest from this page. When Right click on it and select the option to “Run in COMODO Sandbox”. If this is done you get no Firewall alert. The leaktest is able to successfully bypass the Firewall and transmit your information to the internet.

On my computer the default browser was Comodo Dragon. Thus, the exploit automatically opened the test window in Comodo Dragon. Note that this happens even if Comodo Dragon is not open either on the real computer or in the FV Sandbox. (I do not believe that this exploit is specific to Comodo Dragon, but as I have not personally tested it with other browsers I am noting this).

This is especially worrisome as it is currently also possible for keyloggers running in the FV Sandbox to log information from the real computer, as detailed in this bug report.

By the way, a discussion about this leaktest (under various BB settings on the real computer) can be found here.

  • If not obvious, what U expected to happen:
    There should be some way for the user to prevent sandboxed applications from being able to transmit collected information to the internet.
  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version:
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    Perhaps the Firewall component is not yet working correctly inside the FV Sandbox. Either way, there has to be a way to block this vulnerability or many people will continue to be wary about using the FV sandbox.
  • Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)
    I have attached the diagnostics and KillSwitch Process dump. Please let me know if other attachments would be helpful.

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CIS version 6.1.275152.2801
Proactive Configuration

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    The only change I made was that I switched from the default configuration to proactive (and yes, I did restart the computer after making the change)
  • Have U made any other changes to the default config? (egs here.):
    The only change I made was that I switched from the default configuration to proactive (and yes, I did restart the computer after making the change)
  • Have U updated (without uninstall) from a CIS 5?:
    No, this was a clean install.
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS:
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 7 x64 (fully updated), UAC disabled, Real System, run as administrator.
  • Other security/s’box software a) currently installed b) installed since OS:

[attachment deleted by admin]

Thanks for an excellent bug report Chiron

Could you add:

  • what browser it used
  • whether that browser has to be open for the exploit to work

Devs - this is related to M59, but I will probably create a separate record as I understand the exploit may succeed without alerts with more browsers etc - ie basically under more circumstances - in the sandbox

Thank you.

I have added the requested information in my first post. Please let me know if there is anything else which you would like to see added.

Looking at this again I think that it’s the same as M59, would you agree? One in, one out of sandbox but the same vulnerability?

Meanwhile, forwarding as we don’t have a full formatted report for M59

So thanks :slight_smile:

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again


This is still not fixed with CIS version 6.1.276867.2813.

Tracker updated, thanks.

This is still not fixed with CIS version 6.2.282872.2847.

Upon further review, Comodo has classified this as a possible enhancement.

I have thus moved this to the Wishlist.

strange idea of not a bug…

This one was fixed with version 10, actually.