Just when you thought it was safe to dive back into the Comodo waters, Google researcher Tavis Ormandy has surfaced with more trouble.
Publicly disclosed yesterday on the Google Project Zero site, Ormandy said that a tech support application called GeekBuddy installed with Comodo Internet Security also drags along with it a VNC server that is enabled by default.
Ormandy said it’s relatively simple to pull the password out of the Windows Registry.
VNC servers are remote access applications generally dropped onto desktop images giving admins the ability to reach out over the Internet to resolve support issues. The server shares a computer’s desktop with the admin and allows support people—and attackers who gain access—to manipulate settings, see files and perform the same actions as the computer’s owner.
“This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank,” Ormandy wrote. “That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn’t prevent the attack they claim it solved. Not to mention that this is also a sandbox escape that even works against Comodo and Chromodo sandboxes, not to mention Chrome, Protected Mode, and other sandboxes.”
Comodo pushed a hotfix to most Comodo Internet Security installations on Feb. 10, adding that it estimates about 90 percent of users are updated.
The GeekBuddy discovery was actually posted to the Project Zero queue on Jan. 19, two days before Ormandy revealed in the same forum a serious issue with the Chromodo browser, also installed by default with Comodo’s security product. Both issues were subject to Project Zero’s 90-day disclosure deadline.
The Chromodo browser is built upon Google’s Chromium code base and Ormandy said it disabled the Same Origin Policy, a foundational browser security provision that restricts the ability of documents or scripts hosted on a site to interact with content from other origins based on URI scheme, hostname, port number and more.
In addition to disabling the Same Origin Policy, Ormandy said Chromodo hijacks DNS settings, and replaces all shortcuts with Chromodo links.
Ormandy and Project Zero disclosed ahead of the 90-day deadline because Comodo pushed a fix on Feb. 2; Ormandy, however, said the fix was incomplete because Comodo removed support for a particular API that he used in a proof-of-concept exploit he submitted with his bug report.
“This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable,” Ormandy said. “After ‘discussion’ with Comodo (I can’t really get any response from them, but I’m trying), I’ll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue.”