PDA

View Full Version : Comodo DLL injection via weak hash function exploitation Vulnerability

gre87y
February 16th, 2007, 12:00 AM
Description:

Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the target system and thus bypass the protection of the component control.
Vulnerable software:

* Comodo Firewall Pro 2.4.17.183
* Comodo Firewall Pro 2.4.16.174
* Comodo Personal Firewall 2.3.6.81
* probably all older versions of Comodo Personal Firewall 2
* possibly older versions of Comodo Personal Firewall http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php
TOMxEU
February 16th, 2007, 02:56 AM
CRC32 is supposed to be used only for error checking (archives), not as a security feature.
Eventhough MD5 & SHA1 are not the best, they are still much more better than lame CRC32.
I do not know a quality security software, which would not use at least MD5, eg Outpost Pro.
Comodo has just sunk down in my eyes. I wonder, what their response is going to be about it.
srinat
February 16th, 2007, 07:14 AM
So is any other firewall better in this aspect?
Dwarden
February 17th, 2007, 12:15 PM
MD5 may be enough for most of time (yet it's already weak)

but i hope that upcoming releases of Comodo Firewall are gunna introduce some SHA hashes
(or optionable faster MD5 for performance/slower SHA-256 as secure)

use of CRC32 was IMHO just cheap perf/coding trick
Rasheed187
February 27th, 2007, 10:47 AM
This is very dissapointing, strange that developers always seem to slip up. Of course 100% bugfree code does not exist, but these simple things must not be overlooked!

I also wonder if some companies actually bought any of these reports from Matousec? Would be cool if all of these bug were fixed, should make firewalls a lot safer. ::)
dave88
March 10th, 2007, 07:32 PM
Is the latest version of comodo 2.4.18.184 still using crc32 for checksums?
dave88
March 11th, 2007, 07:47 PM
I guess it's probably still using crc32, this bugs me much more than the "magic pipe" vulnerability.
FanJ
March 11th, 2007, 08:13 PM
-{ Quote: "Description:

Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the target system and thus bypass the protection of the component control.
" }-


The way those checksums are stored is something else to consider...
(not only for CRC32; any checksum algorithm used for something like that).
Years and years ago I posted about it (long before I heard of Comodo).