Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Comodo Antivirus Multiple Vulnerabilities

Medium

Synopsis

Multiple vulnerabilities were discovered in Comodo Antivirus / Comodo Antivirus Advanced. The following vulnerabilities were verified to be present in version 12.0.0.6810 of Comodo Antivirus, except CVE-2019-3973, which only affects versions up to 11.0.0.6582.

CVE-2019-3969: Local Privilege Escalation (CmdAgent.exe)

CmdAgent.exe verifies COM clients requesting interfaces from Cmdagent.exe are signed binaries. An attacker can bypass this signing check however by changing the client's process name within it's PEB (Process Environment Block), or process hollowing a Comodo/Microsoft signed processes with malicious code. This is because CmdAgent's signature check uses the filename from EnumProcessModules / GetModuleFilename for the COM Client's PID. Once passing trusted binary check, an attacker can obtain an Instance of IServiceProvider. With IServiceProvider, the attacker can then query for an interface to SvcRegKey and perform registry writes through the Out-Of-Proc COM server as "NT AUTHORTIY\SYSTEM", allowing local privilege escalation. 

CVE-2019-3970: Arbitrary File Write (Modification of AV Signatures)

Comodo keeps it's virus definition database in a protected folder on disk, however Cavwp.exe loads the signatures as Global Section Objects with no ACLs, allowing any low privileged process to modify them in memory. Modifying this section object essentially modifies the AV definitions interpreted by Cavwp.exe, allowing an attacker to create false positives (arbitrary file quarantine) or simply bypassing AV signatures through deleting/modifying database data.

CVE-2019-3971: Denial of Service (CmdVirth.exe)

This denial of service occurs due to CmdVirth.exe's LPC port named "cmdvrtLPCServerPort". A low privileged process can connect to this port and send an LPC_DATAGRAM, which triggers an Access Violation due to hardcoded NULLs used for a memcpy source address. This results in CmdVirth.exe and it's child svchost instances to terminate.

CVE-2019-3972: Out-of-bounds Read (CmdAgent.exe)

CmdAgent.exe reads from a Section Object named "Global\{2DD3D2AA-C441-4953-ADA1-5B72F58233C4}_CisSharedMemBuff". This is writable by the "Everyone" Window's group. The contents of the memory is a Comodo SharedMemoryDictionary structure, which is attempted to be keyed into and values be read. Modifying this structure data can crash CmdAgent.exe by causing an Out-of-bounds read.

CVE-2019-3973: Out-of-Bounds Write (Cmdguard.sys)

Cmdguard.sys exposes a filter port named "\cmdServicePort". Normally this is only connectable by CmdVirth.exe and has MAX_CONNECTION of 1. A low-privileged process however, can crash CmdVirth.exe to decrease the port's connection count and process hollow a CmdVirth.exe copy with malicious code to obtain a port handle. Once this occurs, a specially crafted message can be sent to cmdServicePort using "filtersendmessage" API, which triggers an out-of-bounds write if lpOutBuffer parameter is near the end of buffer bounds. The ProbeForWrite check is bypassed by supplying a small dwOutBufferSize (within lpOutBuffer bounds). The driver then performs a memset operation which sets 0x734 bytes at this supplied address which is beyond supplied lpOutBuffer bounds, causing kernel crash.

Solution

At the time of this disclosure, we are not aware of any patches released by Comodo that address these vulnerabilities. We recommend to keep updated on future Comodo Antivirus releases.

Proof of Concept

https://github.com/tenable/poc/tree/master/Comodo

Disclosure Timeline

04/17/19 - Tenable discloses to Comodo.
04/29/19 - Tenable follows up, asking if vulnerabilities have been confirmed.
05/07/19 - Comodo confirms some vulnerabilities, waiting to confirm others.
05/20/19 - Tenabe requests status update.
06/04/19 - Tenabe requests status update.
06/04/19 - Comodo provides status update. No planned release date at this time.
06/04/19 - Tenable asks for confirmation of vulnerabilities.
06/07/19 - Comodo explains LPE vulnerability is partially due to Microsoft's fault.
06/10/19 - Tenable asks what Microsoft's fault is in this scenario.
06/19/19 - Tenable notifies Comodo that we plan to release CVEs for disclosed issues.
07/08/19 - Tenable asks when Comodo expects fixes for disclosed issues.
08/06/19 - Comodo provides Comodo version 12.0.0.6882 which is said to fix vulnerabilities.
08/07/19 - Tenable confirms LPE via Contained process has been fixed in 12.0.0.6882, but LPE vulnerability still exists for non-Contained processes.
08/07/19 - Comodo says they will check this with the team.
08/09/19 - Comodo says they couldnt reproduce the issue.
08/10/19 - Tenable explains PoC needed slight modification, due to cavshell.dll offsets changing in version 12.0.0.6882.
08/12/19 - Comodo says they will investigate issue.
08/12/19 - Comodo asks if Tenable sees this as part of existing vulnerability or a new vulnerability.
08/12/19 - Tenable says this is part of existing vulnerability - CVE-2019–3969

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Learn More about Indegy