Advisory 2007-02-15.01

Comodo DLL injection via weak hash function exploitation Vulnerability

Basic information:

Description:

Comodo Firewall Pro (former Comodo Personal Firewall) implements a component control, which is based on a checksum comparison of process modules. Probably to achieve a better performance, cyclic redundancy check (CRC32) is used as a checksum function in its implementation. However, CRC32 was developed for error detection purposes and can not be used as a reliable cryptographic hashing function because it is possible to generate collisions in real time. The character of CRC32 allows attacker to construct a malicious module with the same CRC32 checksum as a chosen trusted module in the target system and thus bypass the protection of the component control.

Vulnerable software:

• Comodo Firewall Pro 2.4.17.183
• Comodo Firewall Pro 2.4.16.174
• Comodo Personal Firewall 2.3.6.81
• probably all older versions of Comodo Personal Firewall 2
• possibly older versions of Comodo Personal Firewall

Events:

• 2007-02-21: Candidate for inclusion in the CVE list
• 2007-02-15: Vulnerability confirmed by popular information sources
• 2007-02-15: Advisory released
• 2007-02-01: Vendor notification

References:

• Internet Security Systems - X-Force Database
• SecuriTeam - Windows NT Focus
• National Vulnerability Database
• Common Vulnerabilities and Exposures
• SecurityFocus Vulnerabilities
• Comodo Firewall Pro
• Article about Cryptographic hash function on Wikipedia
• Article about Cyclic redundancy check on Wikipedia

valid HTML 4.01 · valid CSS 2 · optimized for you · design by martina · powered by jan · generated on August 21, 2008