Comodo DLL injection via weak hash function exploitation Vulnerability

Discussion in 'other firewalls' started by gre87y, Feb 16, 2007.

Thread Status:
Not open for further replies.
  1. gre87y

    gre87y Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    164
    Description:

    Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the target system and thus bypass the protection of the component control.
    Vulnerable software:

    * Comodo Firewall Pro 2.4.17.183
    * Comodo Firewall Pro 2.4.16.174
    * Comodo Personal Firewall 2.3.6.81
    * probably all older versions of Comodo Personal Firewall 2
    * possibly older versions of Comodo Personal Firewall http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,040
    Location:
    Slovakia
    CRC32 is supposed to be used only for error checking (archives), not as a security feature.
    Eventhough MD5 & SHA1 are not the best, they are still much more better than lame CRC32.
    I do not know a quality security software, which would not use at least MD5, eg Outpost Pro.
    Comodo has just sunk down in my eyes. I wonder, what their response is going to be about it.
     
  3. srinat

    srinat Registered Member

    Joined:
    Feb 14, 2007
    Posts:
    9
    Location:
    INDIA
    So is any other firewall better in this aspect?
     
  4. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    MD5 may be enough for most of time (yet it's already weak)

    but i hope that upcoming releases of Comodo Firewall are gunna introduce some SHA hashes
    (or optionable faster MD5 for performance/slower SHA-256 as secure)

    use of CRC32 was IMHO just cheap perf/coding trick
     
    Last edited: Feb 17, 2007
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,754
    Location:
    The Netherlands
    This is very dissapointing, strange that developers always seem to slip up. Of course 100% bugfree code does not exist, but these simple things must not be overlooked!

    I also wonder if some companies actually bought any of these reports from Matousec? Would be cool if all of these bug were fixed, should make firewalls a lot safer. :rolleyes:
     
  6. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    Is the latest version of comodo 2.4.18.184 still using crc32 for checksums?
     
  7. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    I guess it's probably still using crc32, this bugs me much more than the "magic pipe" vulnerability.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,158

    The way those checksums are stored is something else to consider...
    (not only for CRC32; any checksum algorithm used for something like that).
    Years and years ago I posted about it (long before I heard of Comodo).
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.