Vulnerability in Comodo Firewall Pro 2.4.16.174

I kindly ask you to solve a problem! Pls look at the next message

Date: 01.02.2007
Subject: [Full-disclosure] Comodo Multiple insufficient argument validation of hooked SSDT function Vulnerability

Hello,

We would like to inform you about a vulnerability in Comodo Firewall Pro.

Description:

Comodo Firewall Pro (former Comodo Personal Firewall) hooks many functions in SSDT and in at least seven cases it fails
to validate arguments that come from the user mode. User calls to NtConnectPort (CFP 2.4.16.174 is not affected),
NtCreatePort (CFP 2.4.16.174 is not affected), NtCreateSection, NtOpenProcess, NtOpenSection, NtOpenThread and
NtSetValueKey with invalid argument values can cause system crashes because of errors in CFP driver cmdmon.sys. Further
impacts of this bug (like arbitrary code execution in the kernel mode) were not examined.

Vulnerable software:

* Comodo Firewall Pro 2.4.16.174 
* Comodo Personal Firewall 2.3.6.81 
* probably all older versions of Comodo Personal Firewall 2 
* possibly older versions of Comodo Personal Firewall 

More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Comodo-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php *

Regards,

  • URL fixed by Mod (kail)

What’s interesting as well, is that on the page just prior ( http://www.matousec.com/info/advisories/ ), BlackICE, Norton, Kerio, and Outpost all had multiple entries from 2006 on into 2007. But the best they could come up with for CFP was that it

User calls to NtConnectPort (CFP 2.4.16.174 is not affected), NtCreatePort (CFP 2.4.16.174 is not affected), NtCreateSection, NtOpenProcess, NtOpenSection, NtOpenThread and NtSetValueKey with invalid argument values [b]can[/b] cause system crashes because of errors in CFP driver cmdmon.sys.
Not that it [i]does[/i], but only that it [i]can[/i].

Their warning of

However, it may happen that this bug is even more dangerous and may lead to the execution of an arbitrary code in the privileged kernel mode.

is then quantified by the statement

[Further impacts of this bug (like arbitrary code execution in the kernel mode) were not examined.
[/quote]
So although there is an issue arising from the tests Matousec is doing (which I’m sure is good for the developers to know), they very explicitly did not say that it was a security vulnerability. All they said was that it could result in a system crash (implicit, that they had been able to cause such to happen), and the possibility existed of other issues (but not that they had been able to cause such to happen).

Compare that to the others which are apparently bypassed in different ways by the vulnerabilities. And on this page Learn Bitcoin, buy Bitcoin
they show where 2.4.16.174 fixed an issue present in 2.3.6.81 of bypassing process identification.

Keep up the good work, Comodo!

I noticed that that several of the firewalls they listed mentioned issues with validation of arguments caused from user mode. I’m not a programmer, but I’ve got to wonder that if it were designed such as to get the proper arguments for these kernel-mode SSDT hooks, would anything other than the highest-privileged Admin be able to run the firewall? Is it even possible to do what they say needs to be fixed?

LM

This is probably the cause for all of those BSODs…