FV Sandbox Bypass to Create Service [M760]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    Every time.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    a: Install CAV on a fresh WIndows 7 machine using the latest installer. We have used cav_installer_3264_29.exe .
    b: CAV, Geek Buddy, and Dragon were installed. Dont reboot after installation
    c: Copy The Poc Folder to the system at any home directory location. We used desktop location
    d: Run CIS.exe present in the POC in sandbox by right click and run in sandbox
    e: UAC request will come with Comodo Certificate
    f: Press YES
    g: A service with COmodoPoc Name will be created on the real computer, not the FV sandbox. The service is not sandboxed.

Without the sandbox:
a: If the same POC cis.exe is run with out sandbox then registry at HKCU\Software\Microsoft\CurrentVersion\Run\ComodoPoc will be created
b: Service with COmodoPoc will be created.

Interestingly when run in sandbox HKCU did nt created but service created.

  • If not obvious, what U expected to happen:
    A service should not be created.
  • If a software compatibility problem have U tried the conflict FAQ?:
    NA
  • Any software except CIS/OS involved? If so - name, & exact version:
    No
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    Following vulnerabilities exists:
  1. Load Order vulnerability in cis.exe while loading cmdhost.dll
  2. No error check or integrity check performed on cmdhost.dll while loading it from current location
  3. While running CIS.exe in sandbox, some vulnearbilty exists which allowed service creation but stalling normal registry addition
    [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CAV 6.3.39542.2974, Product version: 6.3.301686.2974

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    All
  • Have U made any other changes to the default config? (egs here.):
    No
  • Have U updated (without uninstall) from a CIS 5?:
    No
    [li]if so, have U tried a a clean reinstall - if not please do?:
    NA
    [/li]- Have U imported a config from a previous version of CIS:
    No
    [li]if so, have U tried a standard config - if not please do:
    NA
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 7 Ultimate Service Pack1, 32bit, UAC=on, admin, VM used VMWARE
  • Other security/s’box software a) currently installed b) installed since OS: a=None b=None
    [/ol]

Also, as a note for the devs, if this vulnerability is confirmed and fixed, this user would ask that their contribution be acknowledged in the release notes.

I edited your above post so that it is in the correct format. For future reference, just copy and paste the code. Then put your answer after the colons so that it looks like what is above. Also, please look over the report and make sure that I have not incorrectly altered some fields.

In addition to that I have a few questions. The first is about the created service with the ComodoPoc Name. Is this service created on the real computer or in the FV sandbox? If it shows up on the real computer does it remain even after the Sandbox is reset?

Also, in your steps you say you installed CIS 6.0, but your version says 6.3. Was that supposed to read 6.3?
Also, you say that you used the CAV installer. Did you also install the Firewall component, or is that missing?

PM reminder sent.

All the updates you have done are correct.

With respect to your questions here are the clarifications:

  1. Service created in real machine
  2. The exact version 6.3.39542.2974 what ever i gave is correct. ie CIS 6.3 only
  3. I have installed only CAV no fire wall component. WIll it make any difference in the working of sandbox?

Thank you. I have updated the report with this information.

Thanks. And no, it shouldn’t make any difference in the working of the sandbox. I just wanted to resolve the discrepancy, just in case.

Also, I noticed that you said you didn’t restart after the installation. Is the result any different after restarting?
In addition, I still have not received a PM from you with the download link. Please send this to me.

Thank you.

I didnt checked after reboot. I received mail asking for POC from andrey.vasilyev@comodo.com. I have sent POC as mail attachment to andrey.vasilyev@comodo.com. Thats why i didnt send PM. I thought it already reached devs. Do u still need the link to the POC, if so i can send.

Although one of the staff from Comodo already has it, I think it would be helpful to be able to attach it to the post in the tracker which I will be creating for this. Meanwhile, as I wait for your PM, I will move this to format verified and add it to the tracker.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time, availability, and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

Can you please check and see if this is fixed with the newest version (7.0.313494.4115)? Please respond to this topic letting us know whether it is fixed or if you are still experiencing the problem.

Thank you.

PM sent.

The issue is fixed. But comodo will acknowledge our name in any of the the comodo public forums or support sites. I have told in the beginning itself that we
would be interested to get such public acknowledgements.

-Babloo

Thank you for checking this. I have marked this as Fixed in the tracker and will move this report to Resolved.

Also, I am currently working to figure out who to contact about getting a public acknowledgment in the release notes. If I do not respond again within a few days reply to this post and I will check again.

Thanks.

Did you found out a way to get public acknowledgements for the bug I have submitted.

-Babloo

I have contacted the head of QA about this and they have said that they would be happy to do this. However, my understanding is that there is currently no system in place for this sort of recognition between departments and that therefore, as this is a new type of request, it is possible that during the chaos that precedes a new release this request may be lost.

I hope that this reply helps shed a little light on the situation. Please feel free to contact me if you have any further questions.

Thanks.

With your reply I understood that its un likely that in release notes the acknowledgements gets added!!!

Anyways if at all that happens drop a mail or personal message to me so that I will not miss such kind of thing if it happens…

But its sad that such system is not in place with Comodo :embarassed:

-Babloo

I will try to remember to contact you. However, I cannot guarantee that I will remember that either. I think the best advice would be for you to periodically keep an eye on the main News board. When a new version is released a new topic will be created there. Thus, if you chose to enable notifications for new topics created in that board (and just ignored any which weren’t release topics) you could easily find out if a new version was released. If you have any questions about how to do that please feel free to ask.

Thank you.