Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Firewall)  >   Comodo Firewall Pro Vendors:   Comodo Group
Comodo Firewall Pro 'cmdmon.sys' Driver Lets Local Users Deny Service and Potentially Gain Elevated Privileges
SecurityTracker Alert ID:  1017580
SecurityTracker URL:
CVE Reference:   CVE-2007-0708, CVE-2007-0709   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Feb 1 2007
Impact:   Denial of service via local system, Root access via local system
Exploit Included:  Yes  
Version(s):; prior versions may also be affected
Description:   David Matousek of reported a vulnerability in Comodo Firewall Pro. A local user can cause denial of service conditions. A local user may be able to obtain elevated privileges on the target system.

The firewall software hooks several System Service Descriptor Table (SSDT) functions but does not properly validate user-mode input. Calls to the NtCreateSection, NtOpenProcess, NtOpenSection, NtOpenThread, and NtSetValueKey functions are affected. A local user can supply specially crafted values to trigger an error in the 'cmdmon.sys' driver and cause the target system to crash.

A local user may also be able to execute arbitrary code on the target system with kernel level privileges. However, the report did not confirm code execution.

Comodo Personal Firewall function calls are also affected, including the NtConnectPort and NtCreatePort function calls.

The vendor was notified on January 24, 2007.

The original advisory and demonstration exploit is available at:

Impact:   A local user can cause the target system to crash.

A local user may be able to obtain kernel level privileges on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Comodo Multiple insufficient argument validation of hooked SSDT function


We would like to inform you about a vulnerability in Comodo Firewall Pro.


Comodo Firewall Pro (former Comodo Personal Firewall) hooks many functions in SSDT and 
in at least seven cases it fails to validate arguments that come from the user mode. 
User calls to NtConnectPort (CFP is not affected), NtCreatePort (CFP is not affected), NtCreateSection, NtOpenProcess, NtOpenSection, 
NtOpenThread and NtSetValueKey with invalid argument values can cause system crashes 
because of errors in CFP driver cmdmon.sys. Further impacts of this bug (like arbitrary 
code execution in the kernel mode) were not examined.

Vulnerable software:

    * Comodo Firewall Pro
    * Comodo Personal Firewall
    * probably all older versions of Comodo Personal Firewall 2
    * possibly older versions of Comodo Personal Firewall

More details and a proof of concept including its source code are available here:


Matousec - Transparent security Research

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC