Comodo DLL injection via weak hash function exploitation Vulnerability Feb 15 2007 11:24AM
Matousec - Transparent security Research (research matousec com)

We would like to inform you about a vulnerability in Comodo Firewall Pro.


Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum
comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a
checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used
as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character
of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the
target system and thus bypass the protection of the component control.

Vulnerable software:

* Comodo Firewall Pro
* Comodo Firewall Pro
* Comodo Personal Firewall
* probably all older versions of Comodo Personal Firewall 2
* possibly older versions of Comodo Personal Firewall

More details and a proof of concept including its source code are available here:


Matousec - Transparent security Research

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus