Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

Chuck57

Level 13
Verified
Top Poster
Well-known
Oct 22, 2018
600
It is immoral and irresponsible to continue promoting software like Comodo (I'm not talking about you, I'm talking about Comodo and its fanatics).
This sounds very much like you're accusing us of the new buzzword, "disinformation."

Comodo users: Who decides what is this 'disinformation?'

You: It's what we say it is.

Comodo users: Who is we?

You: Everybody who doesn't want Comodo being used.
 
  • Like
Reactions: simmerskool

vitao

Level 4
Thread author
Mar 12, 2024
150
That would be awesome especially with Xcitium as it's more updated
already did that. when proper disabling uac the cis sandbox can manage to really block the exploit behavior. the video is online but im still working on proper subs :) anyway, the uac thing is not to be donne by anyone. comodo (and now xcitium) must solve this problem. or do you think its not that of a problem?
 

vitao

Level 4
Thread author
Mar 12, 2024
150
If you think about not fixing the bypass from this thread, this will not be a problem. The bypass is Comodo-dependent, so it will not be used in widespread attacks.
Comodo has many hardening options that can make it a very attractive solution. The greater problem for Comodo and other AVs is DLL hijacking (also used in the bypass). Unfortunately, there are no tests on this attack vector, so I cannot say which AV can be most effective. On Windows 11, DLL hijacking is blocked by Smart App Control if the malicious DLL is unsigned or improperly signed. It can be also blocked by WDAC.
actualy its already poping out as "paid services" at some "other" places... so its a matter of time (little if i may) untill we have fileless malwares and oher malwares running this kind of measure against cis and xcitium...
 
  • Like
Reactions: Andy Ful

vitao

Level 4
Thread author
Mar 12, 2024
150
btw... a video showcasing the exploit downloading and running the Ransomware and CIS ignoring it:

Edit.: Im still going to work on subtitles for this video. Try the YT automatic subs for the moment...

added 10 subtitles..
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,691
actualy its already poping out as "paid services" at some "other" places... so its a matter of time (little if i may) untill we have fileless malwares and oher malwares running this kind of measure against cis and xcitium...
Yes, it is probable in targeted attacks against businesses.
Improbable in widespread attacks against home users (Comodo is not a popular solution).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,691
Just thinking, if someone actually exploited this vulnerability to drop ransomware using DLL hijacking...
Does the simplified attack work?

archive with payloads ----> archive unpacked ---> the benign application executed as Administrator ---> DLL hijacking .....

It is possible as a ClickFix attack (method used recently in the wild). Such an attack is very simple (no exploit) and should not trigger containment. Furthermore, a similar method can be dangerous also for other AVs.(y)
 
Last edited:
  • Like
Reactions: Vitali Ortzi

Loyisa

Level 1
Aug 8, 2024
20
Does the simplified attack work?

archive with payloads ----> archive unpacked ---> the benign application executed as Administrator ---> DLL hijacking .....

It is possible as a ClickFix attack (method used recently in the wild). Such an attack is very simple (no exploit) and should not trigger containment. Furthermore, a similar method can be dangerous also for other AVs.(y)
Yes! In fact, LummaStealer(in the wild too) also does this
QQ20241030-210423.png

Setup.exe - a trusted file with a valid digital signature
SdAppServices_x64.dll – Malicious DLL, Shellcode Loader
lmemets, yajfl - encrypted Shellcode
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,691
Yes! In fact, LummaStealer(in the wild too) also does this
View attachment 286040
Setup.exe - a trusted file with a valid digital signature
SdAppServices_x64.dll – Malicious DLL, Shellcode Loader
lmemets, yajfl - encrypted Shellcode

I had in mind if you tried to kill Comodo in that way instead of bypassing the sandbox.:)(y)
I assume that the benign application in your test does not ask for elevation so you used bypass to to elevate in the sandbox and create the service. Next, the service could run DLL hijacking with high privileges. I think that the same can be done without the containment bypass just by running the benign application with admin rights (via "Run as administrator") to apply DLL hijacking and run TDSSKiller. But I am not sure if anyone tried this against Comodo.
 
Last edited:

vitao

Level 4
Thread author
Mar 12, 2024
150
i saw some lumma being blocked by cis in some tests of mine. do you guys have any sample or any file of your own so i can test it against cis?

btw xcitium banned me from their forum and removed all topics about cis/xcitium exploit. :(
 

rashmi

Level 14
Jan 15, 2024
662
i saw some lumma being blocked by cis in some tests of mine. do you guys have any sample or any file of your own so i can test it against cis?

btw xcitium banned me from their forum and removed all topics about cis/xcitium exploit. :(
Can you test the POCs in Comodo Virtual Desktop?
 

rashmi

Level 14
Jan 15, 2024
662
did you mean virtual kiosk? if so, there is no need. vk uses the same structure of sandbox so the poc will bypass it.
I vaguely remember that virtual desktop or shopping protection came with added security measures. Regardless, I doubt it will affect the outcome of the test.
 
  • Like
Reactions: simmerskool

bazang

Level 9
Jul 3, 2024
433
They falsely market it
Comodo does not market CIS\CFW. Please do not provide a link to a URL because that is not marketing.

They avoid fixing issues
Because the software has $0 revenue and therefore nobody in their right mind would ever spend a lot on fixing issues. CIS\CFW is in perpetual maintenance or out-of-date. And that is fine because it generates $0 revenue. There are no dedicated Comodo staff to support, bug fix, or further develop it. Melih gets his programmers to look at it once every three or four years. This is fine.

It is freeware. You accept what Comodo gives you and if you cannot, Melih wants you to go use something else. He is so happy to see you go use something else. He does not want you using his product.
 

Vitali Ortzi

Level 28
Verified
Top Poster
Well-known
Dec 12, 2016
1,786
Comodo does not market CIS\CFW. Please do not provide a link to a URL because that is not marketing.


Because the software has $0 revenue and therefore nobody in their right mind would ever spend a lot on fixing issues. CIS\CFW is in perpetual maintenance or out-of-date. And that is fine because it generates $0 revenue. There are no dedicated Comodo staff to support, bug fix, or further develop it. Melih gets his programmers to look at it once every three or four years. This is fine.

It is freeware. You accept what Comodo gives you and if you cannot, Melih wants you to go use something else. He is so happy to see you go use something else. He does not want you using his product.
i replayed to to vitao comment about Xcitium EDR Client he bypassed and it is marketed with false claims to enterprises (comodo is the same base but less updated and has less rules etc) and regardless it is important that severe bypasses are fixed in security software free or paid
 

vitao

Level 4
Thread author
Mar 12, 2024
150
guys, please, dont fight. comodo is not fighting... they released a new 2025 edition fixing the certi issue and it only took 2 months... maybe another 2 years they fix the exploit/poc thing in cis and xcitium... lets have faith :)

btw, a new video showing every fcking options in cis 2025 is on the way. in fact its already at the channel but the video is long... 1h20min mor ou less... ill try to bring subs for it but maybe its not worth it as many will not watch it anyway...
 

bazang

Level 9
Jul 3, 2024
433
regardless it is important that severe bypasses are fixed in security software free
Nope. Not if there is $0 revenue supporting the product.

All free software - ALL PAID SOFTWARE - is offered "As Is." No developer has any obligation to fix bugs or patch its software. At least not a contractual obligation since every software EULA absolves the developer of any liability. The only instance where a developer is liable is if their software causes physical or bodily damage. Then that is no longer about the EULA, but gets into the realm of product negligence and liability.

Everybody that uses software - whether home user, enterprise, or government - does so at their own risk. If anybody uses security software and ends up infected, it is always 100% on them. That is an established rule of global law for security software as a product.
 
  • Like
Reactions: Sorrento

bazang

Level 9
Jul 3, 2024
433
guys, please, dont fight. comodo is not fighting... they released a new 2025 edition fixing the certi issue and it only took 2 months... maybe another 2 years they fix the exploit/poc thing in cis and xcitium... lets have faith :)
Melih will never fix it. There is no dedicated development staff for the Comodo code base. The developers at Comodo are shuffled around from project to project. That is how it has always been. For CIS\CFW a few developers are given a window of a few months to work on it. Because they are needed elsewhere - on projects that bring in revenue dollars. This makes perfect economic sense.

There for a while Melih hired China-based Haibo Zhang to be the Comodo Product\Project Manager, but he left years back and has never been replaced. Right about the time that CIS\CFW developed stopped 3 or 4 years ago.

For the price that Melih is charging for Xcitium, he will never have enough revenue to make the Comodo code-base any better than it is right now. A software product has to generate at least $1 MM USD for every 3 to 4 full-time personnel that support it (only 1 of those 3 or 4 people are software engineers). Comodo earns $0 and Xcitium might generate $500,000 per year. So you get 1.5 or 2 full-time people to support the product. Of those 1.5 or 2 people, you get 3/8ths to 1/2 of a developer. That translates to 1 developer working 780 to 1020 hours per year on a software code base. At Comodo companies, that developer has to do everything. Fix bugs. Develop new features. Unit test. Fix driver issues. Configure and maintain all of the supporting infrastructure. Create install packages. Perform all QA\QC. They have to do the entire supporting sysadmin of the infrastructure, software engineering, and the entire DevOps. Maybe in 10 years that developer can get around to fixing all the bugs and other problems, assuming that the underlying operating system remains essentially static over that same time period.

¯\_(ツ)_/¯
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,691
Killing Comodo with disabled LUA:
 

vitao

Level 4
Thread author
Mar 12, 2024
150
so...

ps.: a new video will be published showing this in action.
 

Attachments

  • cisok.jpg
    cisok.jpg
    93 KB · Views: 55

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top