Comodo Antivirus Multiple Vulnerabilities

Multiple vulnerabilities were discovered in Comodo Antivirus / Comodo Antivirus Advanced. The following vulnerabilities were verified to be present in version 12.0.0.6810 of Comodo Antivirus, except CVE-2019-3973, which only affects versions up to 11.0.0.6582.

CVE-2019-3969: Local Privilege Escalation (CmdAgent.exe)

CmdAgent.exe verifies COM clients requesting interfaces from Cmdagent.exe are signed binaries. An attacker can bypass this signing check however by changing the client's process name within it's PEB (Process Environment Block), or process hollowing a Comodo/Microsoft signed processes with malicious code. This is because CmdAgent's signature check uses the filename from EnumProcessModules / GetModuleFilename for the COM Client's PID. Once passing trusted binary check, an attacker can obtain an Instance of IServiceProvider. With IServiceProvider, the attacker can then query for an interface to SvcRegKey and perform registry writes through the Out-Of-Proc COM server as "NT AUTHORTIY\SYSTEM", allowing local privilege escalation. 

CVE-2019-3970: Arbitrary File Write (Modification of AV Signatures)

Comodo keeps it's virus definition database in a protected folder on disk, however Cavwp.exe loads the signatures as Global Section Objects with no ACLs, allowing any low privileged process to modify them in memory. Modifying this section object essentially modifies the AV definitions interpreted by Cavwp.exe, allowing an attacker to create false positives (arbitrary file quarantine) or simply bypassing AV signatures through deleting/modifying database data.

CVE-2019-3971: Denial of Service (CmdVirth.exe)

This denial of service occurs due to CmdVirth.exe's LPC port named "cmdvrtLPCServerPort". A low privileged process can connect to this port and send an LPC_DATAGRAM, which triggers an Access Violation due to hardcoded NULLs used for a memcpy source address. This results in CmdVirth.exe and it's child svchost instances to terminate.

CVE-2019-3972: Out-of-bounds Read (CmdAgent.exe)

CmdAgent.exe reads from a Section Object named "Global\{2DD3D2AA-C441-4953-ADA1-5B72F58233C4}_CisSharedMemBuff". This is writable by the "Everyone" Window's group. The contents of the memory is a Comodo SharedMemoryDictionary structure, which is attempted to be keyed into and values be read. Modifying this structure data can crash CmdAgent.exe by causing an Out-of-bounds read.

CVE-2019-3973: Out-of-Bounds Write (Cmdguard.sys)

Cmdguard.sys exposes a filter port named "\cmdServicePort". Normally this is only connectable by CmdVirth.exe and has MAX_CONNECTION of 1. A low-privileged process however, can crash CmdVirth.exe to decrease the port's connection count and process hollow a CmdVirth.exe copy with malicious code to obtain a port handle. Once this occurs, a specially crafted message can be sent to cmdServicePort using "filtersendmessage" API, which triggers an out-of-bounds write if lpOutBuffer parameter is near the end of buffer bounds. The ProbeForWrite check is bypassed by supplying a small dwOutBufferSize (within lpOutBuffer bounds). The driver then performs a memset operation which sets 0x734 bytes at this supplied address which is beyond supplied lpOutBuffer bounds, causing kernel crash.

https://github.com/tenable/poc/tree/master/Comodo