SafeBreach Labs discovered a vulnerability in Comodo Internet Security software.
In this post, we demonstrate how this vulnerability could have been used in order to achieve self-defense bypass, defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a signed process that runs as NT AUTHORITY\SYSTEM.
Note: In order to exploit this vulnerability, the attacker needs to have Administrator privileges.
Comodo Internet Security
Comodo Internet Security (CIS) is developed and distributed by Comodo Group, a free Internet security suite that includes an antivirus program, personal firewall, sandbox and a host-based intrusion prevention system (HIPS).
In our exploration, we targeted the cavwp.exe process which is a signed process and run as NT AUTHORITY\SYSTEM.
When started, cavwp.exe tries to load the missing iLog.dll library from its own directory.
Usually, AV products restrict any modification (such as writing, adding or modifying files) to their folders by using a mini-filter driver which enforces a read-only policy on all users (including Administrator).
Despite this fact, we tried to implant a DLL, thinking “Who knows, it might even work…”.
In order to test this vulnerability, we compiled an arbitrary DLL which writes the following to the filename of a txt file:
- The name of the process which loaded it
- The username which executed it
- The name of the DLL file
We then placed it in the following path and restarted the computer:
C:\Program Files\COMODO\COMODO Internet Security\iLog.dll
We were able to load an arbitrary DLL and execute our code within cavwp.exe which was signed by COMODO and run as NT AUTHORITY\SYSTEM.
Root Cause Analysis
Once the cavwp.exe process is started it loads the signmgr.dll library.
Next, the signmgr.dll library tries to load the iLog.dll library using LoadLibraryW:
There are two root causes for these vulnerabilities:
- No digital certificate validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.
- The AV has no self-protection on its folders
As I mentioned before, different AVs protect their own folders from this kind of attacks using a mini-filter filesystem driver which restricts any change to the directory of the AV.
Comodo Internet Security currently doesn’t have this kind of mechanism, so attackers can implant arbitrary DLLs in the product’s folder.
Potential Malicious Uses and Impact
Below we show three possible ways that an attacker can leverage these vulnerabilities which we discovered and documented above.
Signed Execution, Whitelisting Bypass
The vulnerability gives attackers the ability to load and execute malicious payloads within the context of a COMODO signed process. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass.
The vulnerability gives an attacker the ability to load and execute malicious payloads in a persistent way, each time the services are loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time it is restarted.
- Comodo Internet Security v12.0 and prior
July 22nd, 2019 – Vulnerability reported to Comodo
Aug 4th, 2019 – Initial response from Comodo
Aug 19th, 2019 – Status Update from Comodo
Aug 21st, 2019 – Status Update from Comodo
Sep 24th, 2019 – Status Update from Comodo
Oct 18th, 2019 – Status Update from Comodo
Oct 20th, 2019 – We asked MITRE to issue a CVE.
Oct 20th, 2019 – MITRE issued CVE-2019-18215.
Oct 22nd, 2019 – Comodo announced that Comodo Internet Security 2019 v22.214.171.12414 RC is available for download and testing.
Oct 22nd, 2019 – Comodo informed us that the official version (v126.96.36.19914) was released, with the release notes “Fixed: – Preventing unsigned DLLs from loading into CIS processes”.