Comodo Internet Security - DLL Preloading and Potential Abuses (CVE-2019-18215)
Security Researcher, SafeBreach Labs
SafeBreach Labs discovered a vulnerability in Comodo Internet Security software.
In this post, we demonstrate how this vulnerability could have been used in order to achieve self-defense bypass, defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a signed process that runs as NT AUTHORITY\SYSTEM.
Note: In order to exploit this vulnerability, the attacker needs to have Administrator privileges.
Comodo Internet Security (CIS) is developed and distributed by Comodo Group, a free Internet security suite that includes an antivirus program, personal firewall, sandbox and a host-based intrusion prevention system (HIPS).
In our exploration, we targeted the cavwp.exe process which is a signed process and run as NT AUTHORITY\SYSTEM.
When started, cavwp.exe tries to load the missing iLog.dll library from its own directory.
Usually, AV products restrict any modification (such as writing, adding or modifying files) to their folders by using a mini-filter driver which enforces a read-only policy on all users (including Administrator).
Despite this fact, we tried to implant a DLL, thinking “Who knows, it might even work…”.
In order to test this vulnerability, we compiled an arbitrary DLL which writes the following to the filename of a txt file:
We then placed it in the following path and restarted the computer:
C:\Program Files\COMODO\COMODO Internet Security\iLog.dll
We were able to load an arbitrary DLL and execute our code within cavwp.exe which was signed by COMODO and run as NT AUTHORITY\SYSTEM.
Once the cavwp.exe process is started it loads the signmgr.dll library.
Next, the signmgr.dll library tries to load the iLog.dll library using LoadLibraryW:
There are two root causes for these vulnerabilities:
Comodo Internet Security currently doesn’t have this kind of mechanism, so attackers can implant arbitrary DLLs in the product’s folder.
Below we show three possible ways that an attacker can leverage these vulnerabilities which we discovered and documented above.
The vulnerability gives attackers the ability to load and execute malicious payloads within the context of a COMODO signed process. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass.
The vulnerability gives an attacker the ability to load and execute malicious payloads in a persistent way, each time the services are loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time it is restarted.
July 22nd, 2019 - Vulnerability reported to Comodo
Aug 4th, 2019 - Initial response from Comodo
Aug 19th, 2019 - Status Update from Comodo
Aug 21st, 2019 - Status Update from Comodo
Sep 24th, 2019 - Status Update from Comodo
Oct 18th, 2019 - Status Update from Comodo
Oct 20th, 2019 - We asked MITRE to issue a CVE.
Oct 20th, 2019 - MITRE issued CVE-2019-18215.
Oct 22nd, 2019 - Comodo announced that Comodo Internet Security 2019 v22.214.171.12414 RC is available for download and testing.
Oct 22nd, 2019 - Comodo informed us that the official version (v126.96.36.19914) was released, with the release notes “Fixed: - Preventing unsigned DLLs from loading into CIS processes”.