Volunteers needed to test existing personal firewalls against new CPIL3 !

egemen · July 27, 2006, 4:30pm

Hi guys,

We have created a new leak test called CPIL3 which uses a new techhnique to bypass personal firewalls. In our tests all firewalls have failed against this new test. We are going to release another BETA strenghtened against this threat. Before making the test public, we need to make sure our users are safe. So currently, fellow members of Comodo forum, i.e. members having the rank “Comodo’s Hero” can access it.

If you would like to test CPIL3, please send a PM to me with your email address so that we can send the test.

Thanks,
Egemen

streetwolf · July 27, 2006, 7:33pm

The latest CPF beta seems to stop the injection.

I get a popup with the exe and dll in it. It mentions that explorer.exe is using a global hook. Of course I deny the request.

From the output of CPIL3 itself it says that the injection was successful. This is prior to opening up my browser, or trying to, in my case. Is an injection of this sort something that an AV program or malware program should detect and thus not even allow the injection to take place? Or are injections a normal and common sort of thing?

egemen · July 27, 2006, 8:01pm

Sometimes it should fail because of a bug. That bug also affects CPF 2.2 which is supposed to pass this test too.

Egemen

streetwolf · July 27, 2006, 8:04pm

egemen, I added something to my previous post that you might have missed since you were replying when I was modifying.

egemen · July 27, 2006, 8:27pm

Lets not discuss these yet. Lets keep our discussions private until CPIL3 is made public because a new malware can evolve rapidly.

Please do not disclose the test results for other personal firewalls either. Use PM for all correspondence.

Thanks,
Egemen

streetwolf · July 27, 2006, 8:31pm

OK. Maybe you should lock this thread then.

pandlouk · July 27, 2006, 9:48pm

Egemen on mine it fails.

I have as default browser opera 9.0
It does not warn at all

After 20 tests with explorer,firefox and opera here are the results:

With “Automatically approve safe applications” on (10 tests):
Opera → failed
Firefox → failed
IE → failed
With “Automatically approve safe applications” off (10 tests):
Opera → failed
Firefox → failed
IE → succeded the first test, but failed the other 9

streetwolf · July 27, 2006, 11:03pm

Tried multiple runs like pandlouk. Ten consecutive runs resulted in CPF beta blocking it successfully each time using IE6.

egemen · July 28, 2006, 1:12am

I think if you set component monitor ON, it should always detect. Nonetheless, we classify those versions as failed.

egemen · July 28, 2006, 1:33am

Can you please try with CPF 2.2 stable version. It must pass independent of the bug it has. BETA versions has this vulnerability. If stable version passes in your tests, then our users will be safe and we can publish the leak test.

Thanks,

egemen · July 28, 2006, 3:06am

For BETA releases, try to test with Component Monitor is ON pls.

pandlouk · July 28, 2006, 8:05am

Egemen I did as you said.

Stable version with dafault settings → 100% success with all 3 browsers ( 5 tests for each browser)
Beta version with “C.M.” on → 100% success with all 3 browsers ( 5 tests for each browser)

Release it. The Dragon protects us ;D
(B) (S) (R)

ps. With the beta with “C.M.” on, at reboot it failed to load-read the “Application Monitor from registry”. It was “error 6” or 16 (I don’t remember :-\ ). It happened twice.

pandlouk · July 28, 2006, 8:48am

Melih please check this link

It reveals my internal IP. How come this happens?

It has to do with java but how can I fix it?

Egemen do you know if it can be fixed. I have not found any tweaks at the java panel that fixes it. Is it possible to block such data of the browser header with CPF or with the router?

drAgon · July 28, 2006, 10:42am

Same here
It’s very, very bad :o

streetwolf · July 28, 2006, 12:53pm

It is my understanding that the world knowing your Internal IP address is not a security breach. Just as knowing your ‘real’ IP is no big deal.

Am I correct about this? If not, someone more knowledgeable then myself please enlighten me.

kail · July 28, 2006, 1:17pm

I agree with streetwolf, knowing your internal IP addy will not help anybody trying to gain access to your system. AFAIK they can’t reference it in the way owner can anyway. After all, there are probably hundreds of thousands, if not millions, of systems with the very same internal IP address.

panic · July 28, 2006, 1:36pm

Tested CPIL3 with the following settings :

Default Browser : AMBrowser (IE wrapper - like Maxthon)
CPF Version : 2.3.1.20
Component Monitor : ON

Result : Firewall dialogue popped up allowing me to block it, but if I delayed in responding an IE window opened to the Comodo site saying the firewall had failed. It displayed the test I entered in the CPIL3 window, minus the first character. This “minus the first character” trait is repeatable.

If the above settings were used withComponent Monitor set to “Learning”, it failed without a dialogue.

Rgds,
Ewen

egemen · July 28, 2006, 5:27pm

Hi guys,

Those sites harvest data from browser headers. There are many headers that a browser can send while you browse the internet. HOST, REFERER, etc. Those header can be used to learn about your browsing habits like “How you are referred to a site” etc. So it is about privacy. No direct security risk or breach.

egemen · July 28, 2006, 10:01pm

Has anybody tested other firewalls?If so, from now on we can talk about it.

Thx,
Egemen

panic · July 28, 2006, 11:03pm

checkpoints firewall1 hardware firewall fails. ill have the firmware revision and update level on monday for you

agnitum outlook fails
wyveryworks personal firewall 2004 fails

ewen -)

ewen