- Apr 13, 2013
- 3,224
- Content source
- https://youtu.be/qvU38wl9oh8
Comodo Firewall Bypassing a Bypass
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Bot
AI-powered Bot
- Apr 21, 2016
- 4,332
Thanks for sharing this video! It provides useful insights on bypassing Comodo Firewall. Let's discuss and learn more about it.
- Dec 23, 2014
- 8,471
I do not recommend this method:
- One can still use the "Comodo challenge" to dismantle Comodo protection with no warnings.
- One can use DLL hijacking to infect the system. Even if normally the infection would use only standard privileges, now it will run with high privileges (no elevation warning).
- File Explorer will run with high privileges (normally it always runs with standard privileges).
- Some web browser processes will run with high privileges (dangerous behavior).
- Most applications will run with high privileges, even if normally they should run with standard privileges.
- etc.
There were some reports about issues after setting EnableLUA = 0 (problem with elevating programs):
https://superuser.com/questions/1823984/disabled-enablelua-in-regedit-cant-run-as-administrator
But I think that they were related to Standard User Account.
Last edited:
- Aug 19, 2019
- 1,154
Nice video. I wonder whether still a issue with Comodo Containment set as Untrusted or just set to Block. I'm the sort who would click Block in general but useful information. Just not sure I'd disable UAC and I don't quite get how that allowed those files to escape.
Incidentally CIS/CF only ever contained a handful of things for me. Either installing an unknown program which I see a pop-up for or silently it contains my ASUS OEM Notification and Keyboard Host and their interaction with osd.exe (On screen display). I could do with a tip on creating a allow rule for that specifically.
Anyway, great to see the issue being highlighted and one solution.
Incidentally CIS/CF only ever contained a handful of things for me. Either installing an unknown program which I see a pop-up for or silently it contains my ASUS OEM Notification and Keyboard Host and their interaction with osd.exe (On screen display). I could do with a tip on creating a allow rule for that specifically.
Anyway, great to see the issue being highlighted and one solution.
- Dec 12, 2016
- 1,311
Submit it to Valkyrie it should be flagged safe
- Dec 12, 2016
- 1,311
Does your comodo challenge work with block instead of containment ?
And what about default deny in other av software via similar settings in hips , application control?
btw is there any danger with anti viruses mini filters scanning, running executables under a driver with system privileges in order to scan them ?
I recall project zero concluded at that time when they tested av programs is that the way they access file to detect them is usually done with dangerous privileges and they tested at least back then had major issues
How to Compromise the Enterprise Endpoint
Posted by Tavis Ormandy. Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint ...
googleprojectzero.blogspot.com
- Dec 23, 2014
- 8,471
The "block" setting is a containment setting. Comodo Challenge works with the block setting because nothing is contained (all is trusted).
I was able to bypass all tested software except some paranoid settings.
Yes, if AV is exploited.
Last edited:
- Dec 12, 2016
- 1,311
Seems like Microsoft should really push some good SDKs for security software to use to be better isolated since they are so privileged and to reduce issues not just security ones but usability like what happened with crowdstrike
Anyway I do hope comodo abandon their containment solution to something that uses a hypervisor as nowadays pretty much every modern machine has a virtualization instructions and enough performance
pretty sure all things things will naturally happen in the future and more criminals abusing drivers , injecting dlls , exploiting privileged security processes would get us even quicker the the right route
rashmi
Level 11
- Jan 15, 2024
- 538
@cruelsister - "The odd thing is that although always reproduceable on any of my VMs, it never worked on any of my production systems."
In @Andy Ful's "Comodo's Challenge" thread, I had brought up the problem of Comodo's inefficiency in virtual machines.
In @Andy Ful's "Comodo's Challenge" thread, I had brought up the problem of Comodo's inefficiency in virtual machines.
- Apr 13, 2013
- 3,224
In my case it was entirely about the lack of the UAC registry tweak on the VM (needed for this particular MOA).
- Dec 23, 2014
- 8,471
The "Comodo challenge" works because all used executables are benign and trusted. If there is any Comodo's inefficiency in virtual machines, it is unrelated to the "Comodo challenge". I did not notice any inefficiency in my tests. When I used the file that was not trusted in some settings ( like for cmd[.]exe ), the attack was blocked.
In the case of the @cruelsister video, she used custom UAC settings because the Comodo sandbox cannot fully contain processes running with high privileges when UAC is enabled. In the custom UAC settings, the attack can be blocked. In the original attack, the default UAC settings were used, so the attack was successful. There is no inefficiency related to the virtual machine.
Last edited:
rashmi
Level 11
- Jan 15, 2024
- 538
I recall your tests clearly. I just informed @cruelsister that Comodo had problems functioning properly on virtual machines, which I mentioned in your thread as well. Please note that I didn't mean Comodo would block your POC if you tested it on a real system.
I already had information about UAC from Comodo forums, which I also shared in another recent POC thread. You quoted and responded to my post in that thread.
- Dec 23, 2014
- 8,471
I know. I posted here to explain that in any case, the results did not depend on Comodo's inefficiency in virtual machines, but were expected due to the used settings and the way how Comodo works.
- Dec 23, 2014
- 8,471
I am unsure why Comodo Sandbox allows process elevation in the Untrusted and Restricted level. This flaw results from considering the sandbox an unbeatable solution.
It is also possible that Comodo staff think that such bypasses are related to businesses, where people use Standard User Account (password known only to Administrators), so the bypass will be prevented.
It is also possible that Comodo staff think that such bypasses are related to businesses, where people use Standard User Account (password known only to Administrators), so the bypass will be prevented.
- Apr 13, 2013
- 3,224
The issue is not so much of Comodo but more User Account Control and how it interacts with various Security applications. At the most basic, UAC can either have Elevation notifications suppressed by setting the UAC slider at "Never Notify.". Although this will indeed prevent any notifications, UAC will still be active.
With UAC active it interacts with Comodo Containment by forcing certain items into running at the Partially Limited level, and not at a more restrictive level. For almost all files (fair or foul) this is not an issue- but for this particular mechanism it is. So although the recent videos utilize TDSSKiller as the payload, one can easily switch to a Data Stealer or Ransomware instead (although the biggest use so far has been against SEP).
The resolution for this Comodo-UAC issue is trivial:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
(modify 1 (Default) to 0.
With UAC active it interacts with Comodo Containment by forcing certain items into running at the Partially Limited level, and not at a more restrictive level. For almost all files (fair or foul) this is not an issue- but for this particular mechanism it is. So although the recent videos utilize TDSSKiller as the payload, one can easily switch to a Data Stealer or Ransomware instead (although the biggest use so far has been against SEP).
The resolution for this Comodo-UAC issue is trivial:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
(modify 1 (Default) to 0.
It doesn't. A Red popup warning of attempted Elevation will result (in Silent Mode it will just block the request without any popup).
- Aug 19, 2019
- 1,154
I'm just changing the below setting to checked and Block.
- Dec 12, 2016
- 1,311
Can you rerun the comodo challenge with the registry change and uac set to never notify
Just to settle this and see if their non hypervisor sandbox is actually decent for enterprise use like they claim with zerodwell 100% protection marketing
Oh and best if you can use cruelsister settings on the xcitium (more updated client over the free consumer one )
- Dec 23, 2014
- 8,471
This tweak will introduce more weaknesses than is worth. It reverts several years of Microsoft work on patching privilege escalation flaws, by introducing a general priviledge escallation flaw. I do not think that Comodo staff is going to recommend it.
Understand.
In your settings, the the Silent Mode is enabled, so that particular exploit cannot work. This is probably the best resolution, because it does not introduce system weaknesses on the contrary to disabling LUA.
Last edited:
- Dec 23, 2014
- 8,471
So, it does with user consent. I would expect from the Untrusted level to reject the elevation request even if the user accepted the request. I suspect that Comodo did not implement it because most program installations would not run at all in the sandbox after rejecting the elevation request. But, who would want to install unknown applications in the sandbox set to Untrusted?
Last edited:
- Dec 23, 2014
- 8,471
It is not necessary. The Comodo challenge will work silently with no alerts at all. That registry tweak means = programs executed by the user run by default with high privileges (elevation not needed). Without that reg tweak, programs run by default with standard rights and must request for elevation if necessary.
You will not see anything like that, because the Comodo challenge does not run in sandbox. It runs as a trusted process outside the sandbox. There is no escaping from the sandbox.
Cannot test Xcitium, but applying @cruelsister settings would not change anything.
Similar threads
-
- Locked
