Comodo Firewall Pro 'cmdmon.sys' Driver Lets Local Users Deny Service and Potentially Gain Elevated Privileges - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (Firewall) > Comodo Firewall Pro

Vendors: Comodo Group

Comodo Firewall Pro 'cmdmon.sys' Driver Lets Local Users Deny Service and Potentially Gain Elevated Privileges

SecurityTracker Alert ID: 1017580

SecurityTracker URL: http://securitytracker.com/id/1017580

CVE Reference: CVE-2007-0708, CVE-2007-0709 (Links to External Site)

Updated: May 19 2008

Original Entry Date: Feb 1 2007

Impact: Denial of service via local system, Root access via local system

Exploit Included: Yes

Version(s): 2.4.16.174; prior versions may also be affected

Description: David Matousek of Matousec.com reported a vulnerability in Comodo Firewall Pro. A local user can cause denial of service conditions. A local user may be able to obtain elevated privileges on the target system.

The firewall software hooks several System Service Descriptor Table (SSDT) functions but does not properly validate user-mode input. Calls to the NtCreateSection, NtOpenProcess, NtOpenSection, NtOpenThread, and NtSetValueKey functions are affected. A local user can supply specially crafted values to trigger an error in the 'cmdmon.sys' driver and cause the target system to crash.

A local user may also be able to execute arbitrary code on the target system with kernel level privileges. However, the report did not confirm code execution.

Comodo Personal Firewall 2.3.6.81 function calls are also affected, including the NtConnectPort and NtCreatePort function calls.

The vendor was notified on January 24, 2007.

The original advisory and demonstration exploit is available at:

http://www.matousec.com/info/advisories/Comodo-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php

Impact: A local user can cause the target system to crash.

A local user may be able to obtain kernel level privileges on the target system.

Solution: No solution was available at the time of this entry.

Vendor URL: www.personalfirewall.comodo.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: Windows (Any)

Message History: None.

Source Message Contents

Subject: Comodo Multiple insufficient argument validation of hooked SSDT function

Hello,

We would like to inform you about a vulnerability in Comodo Firewall Pro.


Description:

Comodo Firewall Pro (former Comodo Personal Firewall) hooks many functions in SSDT and 
in at least seven cases it fails to validate arguments that come from the user mode. 
User calls to NtConnectPort (CFP 2.4.16.174 is not affected), NtCreatePort (CFP 
2.4.16.174 is not affected), NtCreateSection, NtOpenProcess, NtOpenSection, 
NtOpenThread and NtSetValueKey with invalid argument values can cause system crashes 
because of errors in CFP driver cmdmon.sys. Further impacts of this bug (like arbitrary 
code execution in the kernel mode) were not examined.


Vulnerable software:

    * Comodo Firewall Pro 2.4.16.174
    * Comodo Personal Firewall 2.3.6.81
    * probably all older versions of Comodo Personal Firewall 2
    * possibly older versions of Comodo Personal Firewall


More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Comodo-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php


Regards,

-- 
Matousec - Transparent security Research
http://www.matousec.com/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2020, SecurityGlobal.net LLC