languy99, you might want to re-read my post, as I’m not quite understanding why you’ve written what you have (perhaps you just want to repeat/clarify that when configured appropriately, CIS version 5 can block this POC).
I said CIS version 5 is bypassed in default settings. You verified this too. Or is that wrong now? I have a feeling that most people will generally double click files and not specifically manually right click and run it sandboxed. Would you agree?
Here’s some information about the POC, but it might be a bit trickier to find the download link to the POC this far down the line (time-wise):
http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1302
And yes, languy99 recently educated me about the “other” sandbox in CIS version 5. Unfortunately, it doesn’t quite look as configurable/versatile as Sandboxie.
Hi SSJ100,
Thanks for the link. I have downloaded the POC and tested with both methods on the real machine.
Method A - Succesfully Blocked. :-TU Checked with DebugView as you have suggested.
Method B - Bypassed. Screenshot attached :-TD (But adding rundll32.exe as an limited application, it succesfully blocks it :-TU :-TU)
Note: for both the above scenarios - i get an edit as shown in the attached (W7.png)
Regards,
Harsha
[attachment deleted by admin]
Sounds good. By the way, wouldn’t adding “rundll32.exe” as a “limited application” result in a lot of pop-ups or inconvenience from blocked processes? I can’t recall how CIS classifies a “limited application”. Could you find out the details? Thanks.
Just a follow up on the last post. I remember a “CloneRanger” posted that the exploit could be mitigated by blocking “rundll32.exe”. I essentially replied that this isn’t a very good method:
“rundll32.exe” is indeed required for many normal and safe operations – you just haven’t got round to issuing them just yet haha. Here are a few such normal operations that many people will use frequently: 1. Using “Open With” menu to choose the program you want to open a file with 2. Using “Safely Remove Hardware” so you can safely unplug a device from your computer 3. Opening “Date and Time Properties” (eg. so you can view the calender, adjust time/date) 4. Opening “System Properties” (eg. so you can change Performance options, enable/disable DEP) 5. Opening “Display Properties” (eg. so you can change desktop wallpaper, screensaver) 6. Opening “Add or Remove Programs” (eg. so you can uninstall programs) 7. Opening “Mouse Properties” (eg. so you can adjust the scrolling speed of your mouse) 8. Opening “Keyboard Properties” (eg. so you can adjust the cursor blink rate) 9. Opening “Sound and Audio Devices Properties” (eg. so you can change Windows Sound scheme) 10. Opening “Phone and Modem Options” (so you can add a phone/modem device)Keep in mind that the above list applies only for Windows processes itself. I’m fairly sure many third party applications would also call “rundll32.exe”.
So yes, blocking “rundll32.exe” isn’t exactly very good advice for most people.
I did’nt find the exact definition of Limited app. But, take a look at the attached screenshot of how Comodo treats a limited application…
Thanks,
Harsha
[attachment deleted by admin]
I haven’t blocked rundll32.exe. just treated it as an limited appl.
I have tried all the below operations and could do succesfully w/o any weird behavior/slowdowns/pop-ups
1. Using “Open With” menu to choose the program you want to open a file with 2. Using “Safely Remove Hardware” so you can safely unplug a device from your computer 3. Opening “Date and Time Properties” (eg. so you can view the calender, adjust time/date) 4. Opening “System Properties” (eg. so you can change Performance options, enable/disable DEP) DEP options are disabled. probably its because of either EMET2 or full UAC 5. Opening “Display Properties” (eg. so you can change desktop wallpaper, screensaver) 6. Opening “Add or Remove Programs” (eg. so you can uninstall programs) uninstalled Bonjour app succesfully Uninstalled ccleaner v3 and installed v3.01 succesfully 7. Opening “Mouse Properties” (eg. so you can adjust the scrolling speed of your mouse) 8. Opening “Keyboard Properties” (eg. so you can adjust the cursor blink rate) 9. Opening “Sound and Audio Devices Properties” (eg. so you can change Windows Sound scheme) 10. Opening “Phone and Modem Options” (so you can add a phone/modem device)
wouldn't adding "rundll32.exe" as a "limited application" result in a lot of pop-ups or inconvenience from blocked processes?As of now above operations did not make any inconveniences. I will post if any after using my computer for few days...
Thanks,
Harsha.
Thanks for the feedback. CIS sounds pretty solid, as always.
if rundll32.exe as limited blocks exploits then:
how about setting rundll32.exe as a custom policy, with all options set to “ask” except those (including exclusions) that are allowed by default in the limited policy, set them to “allow”. Then the rule will ask instead of block. If rundll32.exe ever alerts then it could be an exploit, whilst you still have the option to investigate.
That was never an issue really. Anyone who is a little familiar with “Classical HIPS” technology knows that it can be configured to pretty much block anything.
Comodo are trying to make their security suite as user friendly as possible (less pop-ups, less decision-making at the user-level etc), and at the same time, make it as strong as possible too.
On XP, CIS is bypassed by both methods.
any answer from Egemen ? ??? :-\
use xp sp3 fully updated and try again …
That is no magic by CIS. It,s MS patch I think.
Running Admin or Limited User?
Admin