SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Firewall)  >   Comodo Firewall Pro Vendors:   Comodo Group
Comodo Firewall Pro 'cmdmon.sys' Driver Lets Local Users Deny Service and Potentially Gain Elevated Privileges
SecurityTracker Alert ID:  1017580
SecurityTracker URL:  http://securitytracker.com/id/1017580
CVE Reference:   CVE-2007-0708, CVE-2007-0709   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Feb 1 2007
Impact:   Denial of service via local system, Root access via local system
Exploit Included:  Yes  
Version(s): 2.4.16.174; prior versions may also be affected
Description:   David Matousek of Matousec.com reported a vulnerability in Comodo Firewall Pro. A local user can cause denial of service conditions. A local user may be able to obtain elevated privileges on the target system.

The firewall software hooks several System Service Descriptor Table (SSDT) functions but does not properly validate user-mode input. Calls to the NtCreateSection, NtOpenProcess, NtOpenSection, NtOpenThread, and NtSetValueKey functions are affected. A local user can supply specially crafted values to trigger an error in the 'cmdmon.sys' driver and cause the target system to crash.

A local user may also be able to execute arbitrary code on the target system with kernel level privileges. However, the report did not confirm code execution.

Comodo Personal Firewall 2.3.6.81 function calls are also affected, including the NtConnectPort and NtCreatePort function calls.

The vendor was notified on January 24, 2007.

The original advisory and demonstration exploit is available at:

http://www.matousec.com/info/advisories/Comodo-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php

Impact:   A local user can cause the target system to crash.

A local user may be able to obtain kernel level privileges on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.personalfirewall.comodo.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 01 Feb 2007 12:40:45 +0100
Subject:  Comodo Multiple insufficient argument validation of hooked SSDT function

Hello,

We would like to inform you about a vulnerability in Comodo Firewall Pro.


Description:

Comodo Firewall Pro (former Comodo Personal Firewall) hooks many functions in SSDT and 
in at least seven cases it fails to validate arguments that come from the user mode. 
User calls to NtConnectPort (CFP 2.4.16.174 is not affected), NtCreatePort (CFP 
2.4.16.174 is not affected), NtCreateSection, NtOpenProcess, NtOpenSection, 
NtOpenThread and NtSetValueKey with invalid argument values can cause system crashes 
because of errors in CFP driver cmdmon.sys. Further impacts of this bug (like arbitrary 
code execution in the kernel mode) were not examined.


Vulnerable software:

    * Comodo Firewall Pro 2.4.16.174
    * Comodo Personal Firewall 2.3.6.81
    * probably all older versions of Comodo Personal Firewall 2
    * possibly older versions of Comodo Personal Firewall


More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Comodo-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php


Regards,

-- 
Matousec - Transparent security Research
http://www.matousec.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC