Interpreters are recognized only by theirs names [M1409]

A. THE BUG/ISSUE (Varies from issue to issue)

Can you reproduce the problem & if so how reliably?:
Yes, every time.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

  1. Create any executable file.

  2. Name it as an interpreter: wscript.exe, mshta.exe, java.exe etc.

  3. Execute it sending in command line the path to another file. E.g.:

wscript.exe %windir%\notepad.exe

  1. Open the “Active Process List” and notice that the executing program it taken for another file

One or two sentences explaining what actually happened:
This is a critical fail of “Heur Cmd-Line Analysis”. Through this fail any program can be granted privileges of the other.

It is the simplest way to bypass Comodo firewall!!!

The program doing that is attached to the post.

One or two sentences explaining what you expected to happen:
NA

If a software compatibility problem have you tried the advice to make programs work with CIS?:
NA

Any software except CIS/OS involved? If so - name, & exact version:
NA

Any other information, eg your guess at the cause, how you tried to fix it etc:

I had tried to allow executing interpreters only by theirs paths, e.g.:
“HIPS rules” > “All applications” > “Run an executable”

“Allow”: “%PROGRAMFILES%\Java\jre8\bin\java.exe”
“Block”: “*\java.exe”
etc.

But it doesn’t work in the virtual space. Some malicious file can substitute for the file “%PROGRAMFILES%\Java\jre8\bin\java.exe” virtually. So in the virtual space this file can be executed.

B. YOUR SETUP
Exact CIS version & configuration:
CIS 8.0.0.4344
Configuration: Proactive Security

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

Antivirus:
Stateful
“Do not show antivirus alerts”: disabled

HIPS:
Safe Mode
“Create rules for safe applications”: disabled

Auto-Sandbox: Enabled, default rule set
Firewall: Safe Mode

Have you made any other changes to the default config? (egs here.):
No changes

Have you updated (without uninstall) from CIS 5 or CIS6?:
No

Have you imported a config from a previous version of CIS:
No

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Win7x64SP1 (VMware), Admin, UAC is enabled

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=None b=None

[attachment deleted by admin]

This is a very interesting bug. Can you please attach your KillSwitch Process List (instructions on how to do that provided here)

Done.

[attachment deleted by admin]

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Just thinking out loud. Isn’t the problem with the default Firewall settings which will quietly allow outgoing traffic rather than with privilege escalation.

Hello,

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.1.0.4426) and let me know if this is fixed on your computer with that version.

Thank you.

Hello

This is not fixed.

CIS 8.1.0.4426
Configuration: Proactive Security
Win7x64SP1 (VMware), Admin, UAC is enabled

[attachment deleted by admin]

Thanks i have updated the tracker.

This bug is partially fixed for the version CIS 8.2.0.4474 beta, but not completely.
This bug appears when a malicious program substitutes for an interpreter in the virtual space. Such malicious program can be taken for another file. If that file has access to internet, then malicious program obtains access to internet too.

  1. Create a firewall rule to allow internet for some script or jar-file etc.
    E.g.: %USERPROFILE%\Desktop\toonel.jar

  2. Create any executable file, e.g.:
    %USERPROFILE%\Desktop\test.exe

  3. Run command prompt “cmd.exe” virtually

  4. Execute virtually the command:
    copy %USERPROFILE%\Desktop\test.exe %WINDIR%\system32\mshta.exe /y

(or “copy %USERPROFILE%\Desktop\test.exe %WINDIR%\hh.exe /y”, or “copy %USERPROFILE%\Desktop\test.exe %WINDIR%\system32\msiexec.exe /y” etc.)

  1. Execute virtually the command:
    %WINDIR%\system32\mshta.exe %USERPROFILE%\Desktop\toonel.jar

  2. Take notice: the program “c:\VTRoot\HarddiskVolume1\Windows\System32\mshta.exe” is taken for the file “toonel.jar” and has access to internet.

The firewal of CIS 8.2.0.4474 beta can be bypassed even without any permissions for scripts or jar-files.
I have attached an example doing that: “Test2 - Comodo Firewall bypassing.zip”

[attachment deleted by admin]

Thanks, kibinimatik. I’ve updated tracker data : marked as ‘not fixed’ in mentioned version, linked additional information.

Thanks again.