Someone discovered a Partial Bypass of CIS in sandbox in default configuration

Someone figured out a way to bypass Comodo… it doesn’t look like they’ve disclosed the actual vector but did release a POC video… can this be stopped?

POC video:

I consider Comodo Internet Security a leader in preventing malicious attacks. Their default Internet security suite includes a firewall, anti-virus, Defense+ (a host intrusion prevention system), and a Sandbox (which runs suspicious programs in a virtual or limited environment).

See this video on Comodo’s approach as a DEFAULT-DENY system to unknown files: "What Makes Comodo’s Technology Superior? - Comodo Blogs – as CEO Melih Abdulhayoglu explains, with Comodo’s sandbox, “your system is always safe and secure.”

Sorry Melih. I’ve successfully found a (undisclosed) vector that will bypass all aspects of Comodo Internet Security (including the sandbox) and allow an attacker to gain access to the NTAUTHORITY\SYSTEM account (the highest possible level of permissions) on a compromised machine without tripping a single alert.

I have not yet had a chance to test this on any other security suites but I assume that it would be at least somewhat effective. This just reiterates the reality that there is no such thing as a single magic bullet security solution, and it emphasizes the importance of layering security best practices.

major problem, he is running virtual box, not on a real system or at least on VMware. In virtual box CIS does not work right and cannot protect like it should.

Do you have any research to backup that statement? I’ve ran Comodo in VMWare and it works exactly the same as on physical systems. I’m kind of freaked out about this so if you have some proof that that statement is true I’d really appreciate a link.

The VirtualBox forums claim Comodo works perfectly fine:

Egeman told us during the v5 beta not to use virtualbox cuz it doesnt work correctly something about a vector problem

It’s been widely acknowledged on these forums,including by the head developer Egemen,tha the limits of Virtualbox prevents CIS from fully protecting the system.That’s not to say that there isn’t an issue here but it does open up some doubt until the POC is disclosed.

Hi guys, the author just emailed me back and told me he has confirmed this bypass works on physical machines (he developed and tested it on a physical machine and used virtualization for the demo). Apparently someone else also emailed him because he said he plans to update the site shortly… I guess we’ll have to stay tuned :-\

I just emailed him for clarification so you beat me to it. ;D

At least we have something to work with now.

Here’s the problem here

The website POC video: your talking about, this is what it shows (It looks like there trying to sell a exploit) If it really is a exploit??

YOU select a package. All that's required from you is 5 minutes of your time. Simply enter your site's URL and select a web application security testing package that meets your site's needs. Click "Step 2" to read more! Estimated Time: 5 minutes

Get started!<

WE review your site and respond with payment instructions.
We will get back to you within 24 hours with a Google Checkout invoice that you can pay online. Click “Step 3” to read more!
Estimated Time:
24 hours

Get started!

WE test your web site and give YOU a detailed report.
Once the assessment is complete, we’ll send you a report with detailed findings as well as remediation instructions. Click “GET STARTED” to sign up now!
Estimated Time:

If all they’re doing is offering a penetration testing service it seems ok to me.

If all they're doing is offering a penetration testing service it seems ok to me.
I'm just pointing out what I see

If there offering a service, this is where they should go

I’ve liased with Brian,the author of this POC and he’s said that he’ll comment here later on.

My impression is that he’s one of the good guys and there’s no chance of his exploit “going wild”.However it does open up some questions that might well need addressing by the devs.

He did say that this was tested on a default configuration CIS and “partially limited” sandbox,so it might just be a case of hardening those rules.

I’m curious how this would get on the system.

Perhaps there is some protection in that respect. Either way, it appears this is a problem, especially if it can bypass CIS with the sandbox set to untrusted.

Has anyone gotten a response about having it tested with a different configuration?

I’d be very interested to know how the exploit works.

On the other hand, it’s quite hard to take him seriously. Not until he removes the ridiculous music from the video. What does he think this is? >:-D

The internet. 8)

Hi guys,

It’s Brian Sax, the author of the video.

Here’s a couple points of interest that will hopefully clear some things up.

  1. We are professional penetration testers and security researchers that try to treat our clients’ web pages and networks just like a hacker would (sort of the Tiger Team approach).

  2. I developed this on Win7 64bit and tested/confirmed it works on 64 bit Comodo. I have also just tested this on WinXP 32 bit laptop as well as the VirtualBox Win XP 32 bit host in the video.

  3. This was ONLY tested on the default out of the box configuration and no settings were changed.

  4. I can’t release any technical details or the payload.exe as this bypass is of intellectual value to me and allows us to perform bypasses in ethical penetration tests we do for clients - (i.e. if we can do it, hackers can too so it’s important we can penetrate systems and networks in the same way).

  5. The purpose of releasing this was to reiterate the importance of multiple layers of security to our clients and to serve as advertising. It definitely wasn’t intended to be a shot at Comodo as I consider this suite to be top notch, it was like I just said, a shot at the existence of “magic bullet” solutions for desktop security.

I can tell that you guys are concerned about your own personal security and I am all for that, so here’s what I can offer:

I’ll test a couple different configurations of settings (either export them from Comodo or provide step by step instructions) and then I will re-run the payload vs those settings and give you the results. Does that sound fair?


Thanks for your response here Brian.

Could you try running this POC under Proactive Security configuration? Also with the higher security sandbox settings if possible,thanks Andy.

That’s definitely not in the hacker spirit (hacker in the traditional good sense). If this is just advertising I suggest you stop bothering us, because some people actually like to learn things and fix things. Have a good day/night.

a whitehat hacker will release his exploit to the company to help them fix it. comodo has always wanted people to help them improve security and I am sure they would even reward you for your work. But if you don’t want to release your code to comodo then you are here to do no good.

:-TU wj32 :-TU languy99

Having the sandbox set to Untrusted or blocked what would that do with regards to this test? I know partially limited does allow some changes like dropped files.