Comodo DLL injection via weak hash function exploitation Vulnerability

Discussion in 'other firewalls' started by gre87y, Feb 16, 2007.

Thread Status:
Not open for further replies.
  1. gre87y

    gre87y Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    164
    Description:

    Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the target system and thus bypass the protection of the component control.
    Vulnerable software:

    * Comodo Firewall Pro 2.4.17.183
    * Comodo Firewall Pro 2.4.16.174
    * Comodo Personal Firewall 2.3.6.81
    * probably all older versions of Comodo Personal Firewall 2
    * possibly older versions of Comodo Personal Firewall http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    CRC32 is supposed to be used only for error checking (archives), not as a security feature.
    Eventhough MD5 & SHA1 are not the best, they are still much more better than lame CRC32.
    I do not know a quality security software, which would not use at least MD5, eg Outpost Pro.
    Comodo has just sunk down in my eyes. I wonder, what their response is going to be about it.
     
  3. srinat

    srinat Registered Member

    Joined:
    Feb 14, 2007
    Posts:
    9
    Location:
    INDIA
    So is any other firewall better in this aspect?
     
  4. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    MD5 may be enough for most of time (yet it's already weak)

    but i hope that upcoming releases of Comodo Firewall are gunna introduce some SHA hashes
    (or optionable faster MD5 for performance/slower SHA-256 as secure)

    use of CRC32 was IMHO just cheap perf/coding trick
     
    Last edited: Feb 17, 2007
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    This is very dissapointing, strange that developers always seem to slip up. Of course 100% bugfree code does not exist, but these simple things must not be overlooked!

    I also wonder if some companies actually bought any of these reports from Matousec? Would be cool if all of these bug were fixed, should make firewalls a lot safer. :rolleyes:
     
  6. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    Is the latest version of comodo 2.4.18.184 still using crc32 for checksums?
     
  7. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    I guess it's probably still using crc32, this bugs me much more than the "magic pipe" vulnerability.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564

    The way those checksums are stored is something else to consider...
    (not only for CRC32; any checksum algorithm used for something like that).
    Years and years ago I posted about it (long before I heard of Comodo).
     
Loading...
Thread Status:
Not open for further replies.