Comodo Antivirus explosion multiple vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62201995219
Type myhack58
Reporter 佚名
Modified 2019-07-25T00:00:00


Comodo is a company located in the United States software company, headquartered in Jersey City, was established in 1998, is a world-renowned IT security service provider and SSL certificate providers. Researchers at Comodo Antivirus / Comodo Antivirus Advanced and other products found in the plurality of vulnerabilities, the CVE number for CVE-2019-3969, CVE-2019-3970, CVE-2019-3971, CVE-2019-3972, CVE-2019-3973。 In addition to CVE-2019-3973 affect only 11. 0. 0. 6582 and low version, the other vulnerabilities are impacts to 12. 0. 0. 6810 version. CVE-2019-3969: CmdAgent. exe local privilege escalation vulnerability CmdAgent. exe to verify from Cmdagent. exe request interface to the COM client using a signed binary file. The attacker can modify the PEB Process Environment Block in the client's process name or use malicious code to process hollowing a Comodo/Microsoft Signature process to bypass the signature checking mechanism. This is because CmdAgent signature checking mechanism used from a COM client PID EnumProcessModules / GetModuleFilename. As long as through trusted binary file check, the attacker can get IServiceProvider instance. With the IServiceProvider, the attacker can query to SvcRegKey the interface through the Out-Of-Proc COM server to the registry of the operating table, to complete the local authority itself is. ! About CVE-2019-3969 vulnerability more details see: CVE-2019-3970: arbitrary file write vulnerability(modifying AV signatures) Comodo virus definition database virus definition database stored in the hard disk of the protected folder, but Cavwp. exe can be no ACL of Global Section Objects to load the signature, allow a low-privilege process in memory to be modified. Modify the section object will modify the Cavwp. exe the translation of the AV is defined, the attacker can create false-positive results or by deleting or modifying the database data to bypass AV signatures. CVE-2019-3971: DoS (CmdVirth.exe) DoS attacks occur in CmdVirth. exe LPC port cmdvrtLPCServerPort at. Low-privileged process can connect to this port and send LPC_DATAGRAM, since for the memcpy source address memory of the copy source address is hard coded to NULL, and therefore will trigger the Access Violation is. The final result CmdVirth. exe and its sub-svchost instance is terminated. CVE-2019-3972:out of bounds read vulnerability(CmdAgent.exe) CmdAgent. exe from the name"Global\{2DD3D2AA-C441-4953-ADA1-5B72F58233C4}_CisSharedMemBuff"of the Section Object to read the contents, this is everyone can write a Windows Group. The contents of memory for Comodo SharedMemoryDictionary structure. Modify the structure of the data will lead to out of bounds read, and ultimately lead to CmdAgent. exe Ben collapse. CVE-2019-3973: out of bounds write vulnerability(Cmdguard.sys) Cmdguard. sys will be exposed one named\cmdServicePort the filter port. In General only CmdVirth. exe can be connected, and MAX_CONNECTION the maximum connection number is 1. But the low-privileged process can make CmdVirth. exe crash to reduce the ports number of connections, and then use the malicious code to process hollow a CmdVirth. exe copy to get the port handle it. If these are occurred, then with filtersendmessage API to send a carefully forged message to the cmdServicePort, if the lpOutBuffer parameter is close to the buffer boundary, then it will trigger an out of bounds write vulnerability. The use of a small dwOutBufferSize in lpOutBuffer boundary range you can bypass ProbeForWrite check, and then perform the memset operation, will provide the address is set to exceed lpOutBuffer boundary 0x734 Byte will cause the kernel crash. Now Comodo has not yet released any information about these vulnerabilities patch. PoC The PoC code can be found at: