Interesting topic at Kernelmode.info

see: http://www.kernelmode.info/forum/viewtopic.php?f=15&t=1485&start=60#p16657

“As payload it terminates Comodo application from user mode (even without assigning debug privilege) bypassing all Self-Defense. The size of exploit code is ridiculously small. This is amusing bug inside comodo driver. Without comodo driver Windows won’t allow such system call.”

I downloaded the swf demo and ran it in Real Player. It is only 5 seconds long and it does not show that this driver gets terminated.

Another things I noticed was that the test was done in Virtual Box. Virtual Box was, may still be, known to not be able to handle CIS as it does/did support all functions needed.

If this exploit still stands in VM Ware or live system I would be interested to learn more about it but the video does not show enough evidence for as far as a video can.

the swf file is much longer, several minutes, try to play it with GomPlayer! Read the whole discussion. In german forums, some people thinks that Comodo/Egemen knows this weaks/Bugs already…

I tried Daum Pot Player now and that showed the complete video (I had tried VLC Player before but with no success).

I am not sure if this has been reported before. I don’t immediate recall seeing it but I will let my memory play with it for a bit.

I read

At first it was like

Hehe :slight_smile: what do you want to tell us? :slight_smile:

the discussion on kernelmode goes on again:

Postby EP_X0FF » Wed Nov 21, 2012 9:11 am Rin's poc become famous :D

Some friend of mine gave me this link today.

https://forums.comodo.com/comodo-intern … ;msg637652

I like this post

<blockquote>Another things I noticed was that the test was done in Virtual Box. Virtual Box was, may still be, known to not be able to handle CIS as it does/did support all functions needed.</blockquote>

lolwut? Have you heard - windows inside virtual box is not a correct windows for comodo. What functions? Misses SSDT? Maybe it have totally different set of syscalls? Facepalm.

and

by rinn » Wed Nov 21, 2012 1:25 pm Hi.
EP_X0FF wrote:Some friend of mine gave me this link today.
https://forums.comodo.com/comodo-intern ... ;msg637652</blockquote>

I read this topic. If the program is not compatible with VBox emulation then it can be:

  1. Using of x86 architecture bugs or not emulated commands (see https://www.virtualbox.org/ticket/1778). Likely they mean this old emulation bug #2496 (VirtualBox causes COMODO Firewall 3.0 AND COMODO Internet Security 3.5 to crash and become unresponsive.) – Oracle VM VirtualBox. Some instructions maybe not propertly emulated like for example CPU cache invalidation, as I remember this instruction is not properly emulated by all popular virtual machines like bochs, vbox, vmware, vpc.

Obviously all this is not our case - Comodo installs and works pretty well on VBox, including fully working firewall features.

  1. The program can not fully work with emulated hardware.
    This is possible for example with network part, which my program does not use. Everything else hardware emulated VBox is quite common and can cause conflicts, only if the program uses it wrongly. Any firewall must follow generally accepted standards interfaces. For me would be a surprise if it turns out that a product like Comodo is so poorly written, that he suffers from incompatibilities with common virtualized hardware.

If we speak about trvial SSDT hooks they will be the same on a real machine and the modern virtual, regardless of what anyone thinks on Comodo forums. And bug itself won’t disappear just because someone else think I use wrong test environment :wink:

Regarding awareness of Comodo developers about the bug I use. I discovered it accidentally in about year ago while doing commercial penetration testing of other products for a private security firm. I don’t remember maybe it was Zone Alarm. I tried it with different products and some of them were vulnerable too, including Comodo. The fact is that even after months this bug is still in Comodo and they seems to be unaware of it. If they were really interested in stable and correctly written software they would never have used such approaches as used now. So I did proof-of-concept and I honestly don’t care about Comodo future actions. All required details already posted, of course if they are not completely dumb like they aware about copy-and-paste of their drivers code.

Best Regards,
-rin

pity that no one is really interesting in this bug here …

Who says that no one is?

(My little fun add in has been aimed on the fact that some malware “GAMES/VIDEOS/…” just dont do what they are supposed to do… and the user might be tempted to disable several security layers to get it to run :wink: )

Maybe i am wrong, so u want to say, in this video the tester have disable security layers?

I dont believe so …

but maybe i have not really understand u, sorry

2. The program can not fully work with emulated hardware. This is possible for example with network part, which my program does not use. Everything else hardware emulated VBox is quite common and can cause conflicts, only if the program uses it wrongly.
This is turning the world upside down. A virtual machine's job is to emulate an OS completely. It is not an application's job to adapt to an incomplete implementation of a virtual machine.
Any firewall must follow generally accepted standards interfaces. For me would be a surprise if it turns out that a product like Comodo is so poorly written, that he suffers from incompatibilities with common virtualized hardware.
Same comment here.

You asked me what i was trying to say with my video.
EricJH posted, he had loaded the swf demo… and it was running 5 seconds… etc… And that reminds me on the experience of some people who loaded an “awesome tool”, but it didnt work, so they disabled the antivirus to make it work. But it didnt work. So they disabled the firewall. Didnt work. So they load an “enhancer tool”… But that doesnt work as supposed, too.
Later they are venting towards the firewall/antivirus producer, “what a fail their program is”, when the tools are detected as a virus.
Or they vent towards a service, because the security of the service must be terrible unsafe… look ima get hackzed outa my passw0rds… it is your fault!

Well, this is a sad story. And long. The video was shorter and more fun :smiley:

still am i hoping there comes a statement from the Comodo Team ( @egemen, @Melih, @Support) to this weaks of CIS.

in an other topic ( see https://forums.comodo.com/news-announcements-feedback-cis/cis-fails-against-a-script-t88594.0.html ) there are talking about weaks too. But it seems that Comodo-team closes their eyes. Thats pity.

The problem is not to get this poc,script,malware-file … the problem is to solve the weaks of the CIS Software.

So it would be helpful to know about the plans from Comodo-team how to handle this weaks in future. Some weaks are well known since a few years …

To know what is happening Comodo will need the PoC for testing. I hope somebody is able to provide it.

Hi EricJH, at first - thank you for ur response.

hmm,but i have other opinion of PoC. For me PoC is not only to get the script or malware-file.

it seems that some weaks of the CIS Software are well known already. - See Kernelmode, its documented. And u can read about in some other forums too.

And the User rinn from Kernelmode forum says that he gave Comodo the PoC already…

Regarding awareness of Comodo developers about the bug I use. I discovered it accidentally in about year ago while doing commercial penetration testing of other products for a private security firm. I don't remember maybe it was Zone Alarm. I tried it with different products and some of them were vulnerable too, including Comodo. The fact is that even after months this bug is still in Comodo and they seems to be unaware of it. If they were really interested in stable and correctly written software they would never have used such approaches as used now. So I did proof-of-concept and I honestly don't care about Comodo future actions. All required details already posted, of course if they are not completely dumb like they aware about copy-and-paste of their drivers code.

Best Regards,
-rin

I think Egemen is smart enough that he know what about i speak and that he know about the weaks of CIS Software.

For me, that all is positive critic and i hope Comodo will do the best of it with this critic.

It is a common practice to provide a poc for testing so I am not surprised egemen asked for a poc in the other topic.

And the User rinn from Kernelmode forum says that he gave Comodo the PoC already...

I think Egemen is smart enough that he know what about i speak and that he know about the weaks of CIS Software.

For me, that all is positive critic and i hope Comodo will do the best of it with this critic.

The following may be nitpicking but when I read the second quote closely it is not stated that the poc was actually sent to Comodo. It is stated there was one made.

He may have sent the poc for all I know but since I only have the text to go by (I am not a developer or programmer) I tend to stay critical of what has been written.

If there is a vulnerabilty it needs to be notified to Comodo and fixed and the person who found the vulnerability will be given the props as egemen stated in the other topic you are referencing: