Memory Firewall has security flaws!

al6 · April 28, 2009, 12:20pm

Tjena…

Im currently developing a Swedish version of the Comodo BO Tester in order to learn more about security exploits and such. One thing tough; im not able to get warnings from Memory Firewall at all. I am explicitly creating a stack buffer overflow which overwrites the return address and then executes a small shellcode on the stack that jumps back to the code segment and returns the code 13 (as in bad luck ;)).

If I change the Data Execution Prevention settings to OptOut a.k.a “force everything to use DEP”, the exploit is stopped by Windows. However, Memory Firewall does not seem to care at all, even if DEP is turned off.

The exploit should not be able to return the number 13, it should be closed by either DEP or Memory Firewall. Obviously my BO Tester is not recognized as a big enough threat but then what should i do to make Memory Firewall stop it?

Im posting the source code of my BO Tester here:

/* STACK BUFFER OVERFLOW EXPLOITION TEST
1. Overflow stack buffer
2. Execute code in stack buffer
3. Return code 13 */

#include <windows.h>

//return code 13
void exploited()
{
	ExitProcess(13);
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
	//Allocate on stack and initialize with shellcode "jmp eax"
	volatile int buffer[32] = {0xe0ff};
	//Overflow buffer with address of buffer
	for(int i = 1; i < 64; i++)
		buffer[i] = (int) buffer;
	//Set eax to address of exploited
	__asm
	{
		mov eax, exploited
	}
	//Return to buffer and execute "jmp eax" from the stack
}

LeoniAquila · April 28, 2009, 12:28pm

Hi and welcome al6.

I’m just posting in this thread so I can easily monitor the answers here, as you’re doing some interesting testing.

al6 · April 28, 2009, 3:58pm

This thread will need the help from the developers of Memory Firewall.

Citizen_K · April 28, 2009, 6:01pm

Are you using Memory Firewall alongside with CIS 3.8? CIS3.8 has memory firewall integrated. May be the two of them bite?

JoWa · April 28, 2009, 6:12pm

CIS 3.9 RC1 gives no BO alert. The attachment shows the result. (sårbart = vulnerable)

[attachment deleted by admin]

al6 · April 28, 2009, 8:39pm

The problem is simple; Memory Firewall doesn’t stop me from exploiting a buffer overflow. Im only using COMODO Memory Firewall 2.0.4.20. May i speak with the creators?

Är det omöjligt att få kontakt med grabbarna eller vad?

LeoniAquila · April 28, 2009, 8:53pm

Easy, it may take a while for them to see this.

JoWa · April 30, 2009, 10:53pm

New version of al6’s BO Tester, new result…

[attachment deleted by admin]

al6 · May 1, 2009, 3:16pm

This thread is very important, there is a serious mistake in Memory Firewall!

Memory Firewall is only detecting calls to ShellExecute, WinExec and so on, but it’s not detecting calls to the standard C system() call. This is a serious security flaw since system() can do everything that ShellExecute can do. I want some developers in this thread.

Im not using Memory Firewall since i found out that it’s useless, also, DEP and ASLR is a better way to protect your system since it does not need the “black list” of calls becaue everything is stopped.

LeoniAquila · May 2, 2009, 10:30am

I’ve tried to get attention from some developer, let’s hope for a comment.

By the way, CMF has not been updated in a long time. AFAIK the stand alone CMF has been discontinued. Have you considered performing these tests on the CMF part of CIS, which is much newer?

Citizen_K · May 3, 2009, 9:21pm

If I recall correctly CMF only protects to 3 out of 6 possible buffer overflow types. I tried the test on 3.9 RC2 and had three alerts about buffer overflow and terminated them and passed the test.