Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Comodo Support Tool Allowed Attackers to Elevate Privileges

A tech support tool bundled with Comodo security products was plagued by a vulnerability that could have been exploited by a local attacker to elevate their privileges on the system.

A tech support tool bundled with Comodo security products was plagued by a vulnerability that could have been exploited by a local attacker to elevate their privileges on the system.

The problematic software is GeekBuddy, a tool that allows Comodo’s tech support staff to remotely diagnose and repair computers. The application is installed by default with Comodo Internet Security, Comodo Firewall and Comodo Antivirus.

In order to allow support staff to remotely connect to a computer, GeekBuddy installs a VNC server on the system and enables it by default. Google Project Zero researcher Tavis Ormandy discovered that this server is protected by a weak password generated using the first eight characters of an SHA1 hash of a string comprised of several parameters related to the device’s disk.

An attacker with access to the system can generate a password, connect to the VNC and elevate their privileges. Furthermore, the vulnerability can be exploited to escape sandboxes, including the ones of Comodo and its Chromodo browser, Chrome, and Internet Explorer (Protected Mode), Ormandy said.

“It feels like there might be a way to make this remote, perhaps via dns-rebinding and websockets,” the expert noted in his advisory.

This is not an entirely new issue. A researcher informed Comodo in 2014 that the GeekBuddy VNC could be accessed without a password, and Comodo later updated the tool to address the bug. However, as Ormandy has demonstrated, adding a password that can be easily guessed hasn’t properly resolved the flaw.

Comodo has now once again attempted to patch the vulnerability with the release of GeekBuddy 4.25.380415.167 on February 10, which the vendor says has already been installed by more than 90 percent of users.

Advertisement. Scroll to continue reading.

In a blog post published after the details of the flaw were disclosed by Ormandy, Comodo pointed out that the security hole, which it rates as a “minor potential vulnerability,” cannot be leveraged by a remote attacker to connect to a machine via GeekBuddy, and it cannot be exploited remotely.

“First and foremost, GeekBuddy does NOT open any ports and does not accept any incoming connections. Only Comodo technical support, during specific support sessions, can connect and this connection is established through Comodo relay servers, not from a local network or from the internet,” explained Comodo’s senior vice president of engineering, Egemen Tas.

“Second, the vulnerability reported has nothing to do with accessing a VNC server remotely, but using a VNC server to obtain another user’s privilege level — if you have access to the same PC and know the details of the password generation algorithm,” Tas added.

This is not the first security flaw found by Ormandy in a Comodo product. Earlier this month, the expert reported that the company’s Chromium-based Chromodo web browser disabled the same origin policy (SOP), effectively turning off all web security.

Over the past months, Ormandy also reported identifying serious vulnerabilities in products from MalwarebytesTrend MicroKaspersky Lab, AVG, FireEye and Avast.

Related: Comodo Finds Misissued Certificates

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.