Comodo DLL injection via weak hash function exploitation Vulnerability

Description:

Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the target system and thus bypass the protection of the component control.
Vulnerable software:

* Comodo Firewall Pro 2.4.17.183
* Comodo Firewall Pro 2.4.16.174
* Comodo Personal Firewall 2.3.6.81
* probably all older versions of Comodo Personal Firewall 2
* possibly older versions of Comodo Personal Firewall http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php

 

CRC32 is supposed to be used only for error checking (archives), not as a security feature.
Eventhough MD5 & SHA1 are not the best, they are still much more better than lame CRC32.
I do not know a quality security software, which would not use at least MD5, eg Outpost Pro.
Comodo has just sunk down in my eyes. I wonder, what their response is going to be about it.

 

So is any other firewall better in this aspect?

 

MD5 may be enough for most of time (yet it's already weak)

but i hope that upcoming releases of Comodo Firewall are gunna introduce some SHA hashes
(or optionable faster MD5 for performance/slower SHA-256 as secure)

use of CRC32 was IMHO just cheap perf/coding trick

 

This is very dissapointing, strange that developers always seem to slip up. Of course 100% bugfree code does not exist, but these simple things must not be overlooked!

I also wonder if some companies actually bought any of these reports from Matousec? Would be cool if all of these bug were fixed, should make firewalls a lot safer.

 

Is the latest version of comodo 2.4.18.184 still using crc32 for checksums?

 

I guess it's probably still using crc32, this bugs me much more than the "magic pipe" vulnerability.

 

The way those checksums are stored is something else to consider...
(not only for CRC32; any checksum algorithm used for something like that).
Years and years ago I posted about it (long before I heard of Comodo).