How the Vulnerability Works
A critical zero-day vulnerability has been discovered in Comodo Internet Security’s firewall driver, Inspect.sys, by researcher Marcus Hutchins. The flaw, named ComoDoS, resides in the driver’s IPv6 header parser. When processing IPv6 packets with extension headers, the parser subtracts header lengths from a payload length value that comes directly from the attacker controlled IPv6 header. Critically, the code never validates this payload length field. An attacker can set the IPv6 payload length to a value smaller than the total extension header lengths, causing an unsigned 64 bit variable to underflow and wrap around to an extremely large number. This underflow triggers a kernel crash as the driver attempts to parse TCP/IP headers using the corrupted length, resulting in a Blue Screen of Death.
Impact and Scope
The attack can be executed remotely with a single malformed IPv6 packet, bypassing all configured firewall rules. The proof of concept exploit is remarkably compact, requiring just four lines of Python code using the Scapy library. Beyond the denial of service capability, Hutchins also identified potential out of bounds read and write paths triggered by the same underflow condition, though exploitation of those primitives faces significant constraints. Hutchins reported the vulnerability to Comodo’s security team with a full root cause analysis, patch suggestions, and proof of concept code, but received no acknowledgment. At the time of publication, no patch exists, leaving all Comodo Internet Security users vulnerable to remote system crashes.
Source: Cyber Security News
