Comodo Internet Security opened your PC to attackers

Pierluigi Paganini February 19, 2016

Comodo Internet Security, in the default configuration, installs an application called GeekBuddy that also installs a VNC server enabled by default.

The hackers of the Google Project Zero Team have found another serious security issue in the Comodo’s protection software, it is a VNC server enabled by default with a password easy to guess. It is the second problem discovered in Comodo solution in less than a month, a few days ago the Google expert Tavis Ormandy discovered a significant flaw in the Chromodo browser. The browser, in fact, has ‘Same Origin Policy’ (SOP) disabled by default, a setting that exposes users at risk.

Every time users install one of the Comodo solutions (Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security) on a Windows PC a program called GeekBuddy is installed too. This application is used by Comodo to carry out remote technical support on the machine.

The GeekBuddy software installs a VNC server enabled by default and having admin-level privileges. The VNC server open to the local network and is not protected by any authentication mechanism.

Technically, an attacker could gain full control over the computer running the Comodo system.

“Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security, runs a passwordless, background VNC server and listens for incoming connections. This can allow for at least local privilege escalation on several platforms. It also may be remotely exploitable via CSRF-like attacks utilizing a modified web-based VNC client (eg. a Java VNC client).”  wrote Jeremy Brown in a blog post published on Packet Storm Security.

Users can fix the issue by enabling password protection, but according to Ormandy the passwords were predictable.

“This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn’t prevent the attack they claim it solve” explained Ormandy.

The password is easy to extract from the Windows Registry, the operation could be executed by any logged-in user or by a malware running on the machine.

Ormandy also explained how to calculate the password by using the Win calc.exe.

This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe:

This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe like this:

$ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks
Caption                                    SerialNumber  Signature   TotalTracks
VMware, VMware Virtual S SCSI Disk Device                -135723213  1997160

$ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum | cut -c-8

$ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s localhost::5901 -

I'm using vncdotool from here:

(Note: if there is no SerialNumber field, TotalTracks needs to be repeated twice, I think this is a bug)

Or alternatively you can pull the password out of HKLM, just truncate it to 8 characters(!!!):

$ reg query HKLM\\System\\Software\\COMODO\\CLPS\ 4\\CA /v osInstanceId
    osInstanceId    REG_SZ    7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3


Comodo VNC server Windows 7-2016-01-19-15-59-11

Ormandy reported the issue to Comodo on January 19, on February 10 the company released a fix in the version 4.25.380415.167 of GeekBuddy.

Pierluigi Paganini

(Security Affairs –VNC, hacking)

you might also like

leave a comment