Comodo Internet Security Premium Improper Integrity Check Vulnerability Leading to Remote Code Execution

A critical vulnerability exists in Comodo Internet Security Premium version 12.3.4.8162, specifically within the Manifest File Handler component. The issue arises from the application's failure to properly validate the integrity of the 'cis_update_x64.xml' file, which is used to manage update metadata. This flaw allows remote attackers to manipulate the update process, potentially leading to the execution of malicious scripts with SYSTEM privileges. The vulnerability is exacerbated by a path traversal issue, enabling arbitrary file writes that could be exploited to deliver persistent malware.

Impact

Exploitation of this vulnerability allows for arbitrary file writes into the Comodo Internet Security installation folder. Any non-executable file can be written, which could be used to deliver malware. Additionally, by combining this vulnerability with the 'Exec' tag in the XML manifest, it is possible to execute the downloaded file as an NT SYSTEM user, resulting in remote code execution.

Reproduction

To reproduce this vulnerability, set up a fake update server that the victim machine can access. The server must be configured to use a self-signed SSL certificate, which Comodo Internet Security will accept due to improper certificate validation. Once the server is running, initiate a DNS spoofing attack to redirect the update traffic to the fake server. After the update is downloaded, the malicious file can be executed to gain SYSTEM privileges on the victim machine.