Comodo Internet Security opened your PC to attackers

Comodo Internet Security, in the default configuration, installs an application called GeekBuddy that also installs a VNC server enabled by default.

The hackers of the Google Project Zero Team have found another serious security issue in the Comodo’s protection software, it is a VNC server enabled by default with a password easy to guess. It is the second problem discovered in Comodo solution in less than a month, a few days ago the Google expert Tavis Ormandy discovered a significant flaw in the Chromodo browser. The browser, in fact, has ‘Same Origin Policy’ (SOP) disabled by default, a setting that exposes users at risk.

Every time users install one of the Comodo solutions (Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security) on a Windows PC a program called GeekBuddy is installed too. This application is used by Comodo to carry out remote technical support on the machine.

The GeekBuddy software installs a VNC server enabled by default and having admin-level privileges. The VNC server open to the local network and is not protected by any authentication mechanism.

Technically, an attacker could gain full control over the computer running the Comodo system.

“Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security, runs a passwordless, background VNC server and listens for incoming connections. This can allow for at least local privilege escalation on several platforms. It also may be remotely exploitable via CSRF-like attacks utilizing a modified web-based VNC client (eg. a Java VNC client).”  wrote Jeremy Brown in a blog post published on Packet Storm Security.

Users can fix the issue by enabling password protection, but according to Ormandy the passwords were predictable.

“This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn’t prevent the attack they claim it solve” explained Ormandy.

The password is easy to extract from the Windows Registry, the operation could be executed by any logged-in user or by a malware running on the machine.

Ormandy also explained how to calculate the password by using the Win calc.exe.

This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe:

This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe like this:

$ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks
Caption                                    SerialNumber  Signature   TotalTracks
VMware, VMware Virtual S SCSI Disk Device                -135723213  1997160

$ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum | cut -c-8
7d4612e5

$ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s localhost::5901 -

I'm using vncdotool from here:

https://github.com/sibson/vncdotool

(Note: if there is no SerialNumber field, TotalTracks needs to be repeated twice, I think this is a bug)

Or alternatively you can pull the password out of HKLM, just truncate it to 8 characters(!!!):

$ reg query HKLM\\System\\Software\\COMODO\\CLPS\ 4\\CA /v osInstanceId
HKEY_LOCAL_MACHINE\System\Software\COMODO\CLPS 4\CA
    osInstanceId    REG_SZ    7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3
 

 

Ormandy reported the issue to Comodo on January 19, on February 10 the company released a fix in the version 4.25.380415.167 of GeekBuddy.

Pierluigi Paganini

(Security Affairs –VNC, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Interpol: Operation HAECHI-V led to more than 5,500 suspects arrested

International law enforcement operation Operation HAECHI-V led to more than 5,500 suspects arrested and seized…

2 hours ago

How threat actors can use generative artificial intelligence?

Generative Artificial Intelligence (GAI) is rapidly revolutionizing various industries, including cybersecurity, allowing the creation of…

12 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 22

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

18 hours ago

Security Affairs newsletter Round 500 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

Hackers stole millions of dollars from Uganda Central Bank

Financially-motivated threat actors hacked Uganda 's central bank system, government officials confirmed this week. Ugandan…

2 days ago

15 SpyLoan Android apps found on Google Play had over 8 million installs

McAfee researchers discovered 15 SpyLoan Android apps on Google Play with a combined total of…

2 days ago

This website uses cookies.