[Full-disclosure] Comodo DLL injection via weak hash function exploitation Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2007-02-15T00:00:00



We would like to inform you about a vulnerability in Comodo Firewall Pro.


Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the target system and thus bypass the protection of the component control.

Vulnerable software:

 * Comodo Firewall Pro
 * Comodo Firewall Pro
 * Comodo Personal Firewall
 * probably all older versions of Comodo Personal Firewall 2
 * possibly older versions of Comodo Personal Firewall

More details and a proof of concept including its source code are available here: http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php


-- Matousec - Transparent security Research http://www.matousec.com/

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/