App Review Full Bypass DDE Exploit COMODO AV-10.2.0.6526 DB-28788 (UNDETECTED!) - AV and HIPS ON Paranoid Mode

[Emmanuellws]

A demo request by a person from my youtube channel to try bypass COMODO AV (Free version)
HIPS Settings was set to ON - Paranoid mode.

Should improve HIPS to catch DDE based exploit.

 

[cruelsister]

Is this person serious? 15 minutes of my life I'll never get back,,,

 

[MeltdownEnemy]

Security software vs someone through Kali, anything could be expected if exist a new version, all is relative.

 

[cruelsister]

This is really stupider beyond words in so many ways...

 

[MeltdownEnemy]

I don't have any familiarity about comodo, for others people there maybe founded feelings, as up there

 

[Fel Grossi]

How about COMODO Firewall and deny unknown entries?? Or put CS settings to block requests without alerting.

CAV is as easy as any other signatures based antivirus, the power of COMODO is in the firewall + sandbox.

 

[Deleted member 178]

@cruelsister tatatatatata don't be so mean CS
Care to explain for our audience what strike you as stupid in this video? .

btw, it is me, or the guy just happy-clicked on everything? hahahaha

 

[upnorth]

The video was made public on 1st of April.

Thanks for the share anyway.

 

[cruelsister]

An April fool's prank? Thank you Dear God!!!!!

My faith in humanity is restored!

 

[AtlBo]

If this were real, whoever made the video would cash in by informing Comodo, or else keep the information 100% quiet to cash in by robbing others. Noone does this this way, "discreetly with without any credible testing" of the hack.

I think we've got to be more careful moving forward to avoid falling for the blatant lying nature of some out there. Some of what pops up is just misinformation or meant to misguide or distract users and others somehow. However, much of it is simply straight away 100% fabrication meant to scare people away from a good product...or maybe even in some cases toward something.

Think I'm going to be relying more on the credibility of sources from now on and less on random one off news and videos like this...

 

[Deleted member 65228]

I LOL'd at the end when Access Denied (STATUS_ACCESS_DENIED to be precise) was being thrown back for the process termination attempts. STATUS_ACCESS_DENIED was being returned because a COMODO driver must have setup ObRegisterCallbacks to deny handle creation/duplication with access rights of XXXXXX, and thus the Windows Kernel returns STATUS_ACCESS_DENIED when the requested access rights cannot be granted.

Then again COMODO use hyper visor so they could've just patched the Windows Kernel and hid the memory changes from KPP's DPC timer based memory checks with EPT and/or RVI anyway.

Anyway trust me when I say this, what was uploaded here would've never ever been deemed valid by any main vendor in a million years. Maybe if the vendor was silly they would accept it. COMODO definitely won't.

 

[AtlBo]

@Opcode-> Like x 2 x 2 x ... Thx once again for your capable analysis

 

[Mariihh]

Comodo = bug factory and horrible signatures, step well away from this program

The problem is that there are some fanboys of this program who talk a lot of crap, doing amateur tests, saying that it has good protection and etc, being that in real life who understands security knows that it is weak and has no credibility in the security market.

 

[Deleted member 178]

An April fool's prank? Thank you Dear God!!!!!

My faith in humanity is restored!

sorry to break your dreams, the author didn't say it was April's fools

 

[Emmanuellws]

hi there thanks for the negative, constructive and positive feedback. Anyway, while tested COMODO AV with its HIPS, Sandbox technology, I was really impressed with the Sandbox or its "Containment" technology. Of course like any other AV, it has its own weaknesses. Purpose of this video is because one of my subscriber requested me to test on COMODO after I bypassed some AV including my own favorite AV. Don't get me wrong, COMODO AV is a good product at least it is not a crap, but for me - I bypass my own AV too so that I know where is my protection level currently stand. If we know our own weakness, we will take precautions against such attack vector. We can help improve it - like me - i inform my own vendor, Let the public knows that whoever uses this solution must take precaution, inform your own vendor....don't be denial. Don't live in a FALSE SENSE OF SECURITY. Vendors will market their product with powerful marketing statements and features but we consumers ought to know the truth and limitations of their product which they will never do so. This is where you can tell whether your vendor really take security seriously or not. Else, move on, make the change. I don't blame you all flaming me because you can't tell what my intention was. So this video was made for a subscriber who uses COMODO AV and wanted to know whether there are any serious issue to look into. This is just one of it but it is quite popular and should have been covered. The demo does not illustrate a Ransomware attack but rather a DATA-BREACH demo. I believe a lot of security products nowadays are able to protect against ransomware...but not against DATA-BREACH or PRIVATE-DATA LEAKAGE.

 

[ForgottenSeer 58943]

Comodo = bug factory and horrible signatures, step well away from this program

In all my years as a cybersecurity person, IT engineer, and other things I won't mention, etc. Traveling the world. Meeting thousands of people. Never once in my life did anyone ever say 'I use Comodo'. I get it though, CS and the videos drums up some interest in it here and there but otherwise?

 

[Emmanuellws]

I LOL'd at the end when Access Denied (STATUS_ACCESS_DENIED to be precise) was being thrown back for the process termination attempts. STATUS_ACCESS_DENIED was being returned because a COMODO driver must have setup ObRegisterCallbacks to deny handle creation/duplication with access rights of XXXXXX, and thus the Windows Kernel returns STATUS_ACCESS_DENIED when the requested access rights cannot be granted.

Then again COMODO use hyper visor so they could've just patched the Windows Kernel and hid the memory changes from KPP's DPC timer based memory checks with EPT and/or RVI anyway.

Anyway trust me when I say this, what was uploaded here would've never ever been deemed valid by any main vendor in a million years. Maybe if the vendor was silly they would accept it. COMODO definitely won't.

COMODO AV services is quite persistence and I am impressed with that, but that doesn't stop the attacker to perform further data breach and stealing more sensitive information. Stealing data and keylogging does not need higher privilege.

 

[AtlBo]

If you are the creator of the video (I didn't catch this part), did you inform Comodo or go to the Comodo forums? I know this is something that would go straight to the top on their list of concerns.

Lately I think I am beginning to notice how much of a cutting edge is in the misdirection and in the distractive techniques of malware writers. I have believed for a long time that this sensational malware battle we see on the news and so on, even much of the targeted malware activity, is just a cover for the real money making activity that big time hackers pursue...and probably countries too sometimes. This type of activity could too oftenly be happening in the form of paying people off for insider information...so the hack will be easy and so that it can be done in a customized way and with a 100% guaratee of stealth and persistence. Yep, there are real human faces behind these made for TV attacks. At any rate, this is why I am beginning to feel like I need to be asking more oftenly, "Who in some IT consulting firm or whatever may have sold out to hackers for pay, <leading to this serious hack>?" For that matter, who is here working MalwareTips to widen the cracks that can bring success for hackers.

The trouble with your video it is not possible to know if it is part of the distraction or actually real. That doesn't help users honestly. Maybe it's good you posted the video if it is real, but you can still go to Comodo if you haven't already...maybe they will pay you to help them end for keeps the types of threats you have discovered. Isn't that the way it's supposed to work?

 

[Emmanuellws]

Yep. But I am not a COMODO AV user. If they have a Bug Bounty I would have joined that of course. But I was doing it for a favor for one of my subscriber who uses COMODO. Real or not? Try it. For yourself using CACTUSTORCH_DDE from GitHub and you will be surprise that it work flawlessly. I llustrated the use of CACTUSTORCH DDE in detail in one of my demo to bypass Panda Adaptive Defense.

 

[AtlBo]

Not in a position to take your word for it, and I don't know the specifics of Comodo's bounty policy. I know one thing, if it is real as you indicate, they should listen to you and pay you well for the information. You have certainly I am sure gotten the attention here of some individuals who are interested in Comodo products. I don't mean me, but there are some individuals who have invested a large amount of energy explaining the program and why it is "unbreachable". Lots have listened too.

I use Comodo, and in spite of the video, I will continue to do so. However, please find a way to at least attempt to reach Comodo with your findings. I'm sure a number of us here would be ready to support your effort any way possible. For sure, if there was ever a reason to step up with a big bug bounty at Comodo, this seems like the one to me, assuming everything is as you say.

Seriously, you seem like the kind of person they SHOULD be hiring...again all things as you say. Curious if you have a very short description of what could be done following the success shown in the video. You say full control->so this is absolute control of the system?