Hot Take Comodo Internet Security 2025 was obliterated by an exploit!

[Andy Ful]

I finished the third version of the POC and now it does not require any additional files

detection shellcode injection is enabled, untrusted restricted mode, and embedded code detection on

If I correctly understood you bypassed the sandbox protection related to dropping files outside the sandbox. However, it does not follow from your post that those files can be executed outside the sandbox by the POC, or that the POC can modify files outside the sandbox. Can the POC do such actions? I have in mind the first phase of attack, before downloading tdsskiller.

Edit.
The POC should be blocked in the @cruelsister's settings because the contained executable could not call home.

 

[Vitali Ortzi]

I finished the third version of the POC and now it does not require any additional files

detection shellcode injection is enabled, untrusted restricted mode, and embedded code detection on

View attachment 285939

Does block in containment blocks the POC?
Auto containment >Unrecognized>action>block

 

[Loyisa]

Does block in containment blocks the POC?
Auto containment >Unrecognized>action>block

yes

 

[Loyisa]

If I correctly understood you bypassed the sandbox protection related to dropping files outside the sandbox. However, it does not follow from your post that those files can be executed outside the sandbox by the POC, or that the POC can modify files outside the sandbox. Can the POC do such actions? I have in mind the first phase of attack, before downloading tdsskiller.

Edit.
The POC should be blocked in the @cruelsister's settings because the contained executable could not call home.

Yes, the POC use a special way to create service which Comodo can't handle properly, then comodo will think that svchost.exe is executing those commands/files, not the poc itself

 

[Loyisa]

The POC should be blocked in the @cruelsister's settings because the contained executable could not call home

Treat the symptom, not the disease.
I can still release the payload in other directories

 

[Vitali Ortzi]

yes

by yes you mean comodo was able to block it ?
just to confirm

 

[Andy Ful]

Treat the symptom, not the disease.
I can still release the payload in other directories

Only that particular sample is blocked in the @cruelsister settings. It is possible to embed the payloads in the POC and drop/execute them without downloading anything.

Yes, the POC use a special way to create service which Comodo can't handle properly, then comodo will think that svchost.exe is executing those commands/files, not the poc itself

It would be interesting to check if the payload dropped to the sandbox, copied by your exploit outside the sandbox and executed via Svchost, can still be contained in the sandbox.

 

[Loyisa]

by yes you mean comodo was able to block it ?
just to confirm

Setting the action for unrecognized files to "Block" blocks all threats, the true Zero Trust

 

[Loyisa]

Only that particular sample is blocked in the @cruelsister settings. It is possible to embed the payloads in the POC and drop/execute them without downloading anything.



It would be interesting to check if the payload dropped to the sandbox, copied by your exploit outside the sandbox and executed via Svchost, can still be contained in the sandbox.

The execution flow is as follows:
Run POC -> POC can create services outside containment through magic -> Use service(to run curl.exe) to download the payloads ->
-> Use service to run a file trusted by Comodo and do dll hijacking(the bad dll released escaped.txt) -> Run tdsskiller -> Comodo dead

 

[Andy Ful]

The execution flow is as follows:
Run POC -> POC can create services outside containment through magic -> Use service(curl.exe) to download the payloads ->
-> Use service to run a file trusted by Comodo and do dll hijacking(the bad dll released escaped.txt) -> Run tdsskiller -> Comodo dead

So, the trusted executable executed by the service outside the sandbox can load the malicious DLL, and that DLL will not be sandboxed?

 

[Loyisa]

So, the trusted executable executed by the service outside the sandbox can load the malicious DLL, and that DLL will not be sandboxed?

Yes, Comodo doesn't seem to be very good at DLL hijacking and DLL is basically not sandboxable, basically trusted files + bad dll = comodo blinded
If you use Safe mode in HIPS/firewall to face DLL hijacking, it basically means that your computer is not safe.
(During this process, Comodo did not monitor the creation of services, svchost.exe and curl.exe were both trusted files, so there were no firewall alerts.)

 

[Andy Ful]

Yes, Comodo doesn't seem to be very good at DLL hijacking and dll is basically not sandboxable, basically trusted files + bad dll = comodo blinded

So, the attack can be also done fully outside the sandbox, except if in DLL hijacking the execution of a trusted file has to be done via the custom service.

 

[Loyisa]

So, the attack can be also done fully outside the sandbox, except if in DLL hijacking the execution of a trusted file has to be done via the custom service.

Correct, you can even just run shellcode or something like that.
Thanks to some programmers, you can load your malicious DLL through a trusted file.

 

[Andy Ful]

Correct, you can even just run shellcode or something like that.

It is not good for Comodo. The DLL hijacking attacks are easy and can affect home users. Many ransomware attacks use this method.

 

[Loyisa]

It is not good for Comodo. The DLL hijacking attacks are easy and can affect home users. Many ransomware attacks use this method.

In fact, the DLL hijacking used in my POC is something I learned from a ransomware

Kransom Ransomware: Uses DLL-Sideloading to Abuse an RPG

Learn about Kransom, a new ransomware that uses the DLL-sideloading technique to hijack the popular game Honkai: Star Rail.

any.run

 

[Andy Ful]

I think, that there is an option in Comodo that prevents the automatic authorization of untrusted executables executed by trusted ones. This option could probably block DLL hijacking. But it can significantly increase false positives.

 

[Loyisa]

I think that there is an option in Comodo that prevents automatic authorization of untrusted executables executed by trusted ones. This option could probably block DLL hijacking.
But it can significantly increase false positives.

Yes, Safe mode in HIPS prevents trusted executables from executing untrusted executables, but it does not prevent DLL hijacking

 

[rashmi]

For those interested, there is additional information about this topic on Comodo forums.

PoC bypass Auto-Sandbox CIS

https://www.youtube.com/watch?v=l50HNQYFD5Y 💣

forums.comodo.com

A moderator's response.
"I only took a quick look at the source code and I can tell what the issue is. By default cis does not protect access to the service control manager defined as *\RPC Control\ntsvcs so you would need to add that path to the protected COM interfaces section. The source code also contains code that attempts to access the SCM via a named pipe so you can also add *\Device\NamedPipe\ntsvcs to the protected files section to cover the named pipe access.

With that said, there is a compatability issue with windows UAC that prevents containment restriction levels being set to the desired restriction level for applications that require administrator rights. This means if you set the containment rule to use a restriction level higher than partially limited e.g. limited, restricted, or untrusted and you run an application that requests admin rights/elevation, then cis will lower the restriction level to partially limited. So you don’t get the protection provided by the higher restriction levels.

Therefore you need to completely disable UAC by setting the enableLUA registry value to 0. This is important to note as using SCM requires admin rights and setting UAC to never notify, doesn’t actually disable UAC itself as it just won’t pop up an UAC alert and will auto grant elevation to admin.

Edit: oh and there is yet another bug that affects cis on windows 11 with regards to using restriction levels. Whenever an application is executed by windows explorer, which happens when you use your mouse to run apps, the restrictions that are supposed to be applied don’t get set so you get tricked into a false sense of security."

 

[Loyisa]

*\RPC Control\ntsvcs

*\Device\NamedPipe\ntsvcs

Those won't works, because I didn't access the com interface

 

[Andy Ful]

For those interested, there is additional information about this topic on Comodo forums.

PoC bypass Auto-Sandbox CIS

https://www.youtube.com/watch?v=l50HNQYFD5Y 💣

forums.comodo.com

A moderator's response.
...
With that said, there is a compatability issue with windows UAC that prevents containment restriction levels being set to the desired restriction level for applications that require administrator rights. This means if you set the containment rule to use a restriction level higher than partially limited e.g. limited, restricted, or untrusted and you run an application that requests admin rights/elevation, then cis will lower the restriction level to partially limited. So you don’t get the protection provided by the higher restriction levels. ..."

So, using a Standard User Account can be valuable for real containment.
However, this will not solve the DLL hijacking issue and malware that can encrypt/steal data with standard privileges.