Comodo Support Tool Allowed Attackers to Elevate Privileges

A tech support tool bundled with Comodo security products was plagued by a vulnerability that could have been exploited by a local attacker to elevate their privileges on the system.

The problematic software is GeekBuddy, a tool that allows Comodo’s tech support staff to remotely diagnose and repair computers. The application is installed by default with Comodo Internet Security, Comodo Firewall and Comodo Antivirus.

In order to allow support staff to remotely connect to a computer, GeekBuddy installs a VNC server on the system and enables it by default. Google Project Zero researcher Tavis Ormandy discovered that this server is protected by a weak password generated using the first eight characters of an SHA1 hash of a string comprised of several parameters related to the device’s disk.

An attacker with access to the system can generate a password, connect to the VNC and elevate their privileges. Furthermore, the vulnerability can be exploited to escape sandboxes, including the ones of Comodo and its Chromodo browser, Chrome, and Internet Explorer (Protected Mode), Ormandy said.

“It feels like there might be a way to make this remote, perhaps via dns-rebinding and websockets,” the expert noted in his advisory.

This is not an entirely new issue. A researcher informed Comodo in 2014 that the GeekBuddy VNC could be accessed without a password, and Comodo later updated the tool to address the bug. However, as Ormandy has demonstrated, adding a password that can be easily guessed hasn’t properly resolved the flaw.

Comodo has now once again attempted to patch the vulnerability with the release of GeekBuddy 4.25.380415.167 on February 10, which the vendor says has already been installed by more than 90 percent of users.

In a blog post published after the details of the flaw were disclosed by Ormandy, Comodo pointed out that the security hole, which it rates as a “minor potential vulnerability,” cannot be leveraged by a remote attacker to connect to a machine via GeekBuddy, and it cannot be exploited remotely.

“First and foremost, GeekBuddy does NOT open any ports and does not accept any incoming connections. Only Comodo technical support, during specific support sessions, can connect and this connection is established through Comodo relay servers, not from a local network or from the internet,” explained Comodo’s senior vice president of engineering, Egemen Tas.

“Second, the vulnerability reported has nothing to do with accessing a VNC server remotely, but using a VNC server to obtain another user’s privilege level — if you have access to the same PC and know the details of the password generation algorithm,” Tas added.

This is not the first security flaw found by Ormandy in a Comodo product. Earlier this month, the expert reported that the company’s Chromium-based Chromodo web browser disabled the same origin policy (SOP), effectively turning off all web security.

Over the past months, Ormandy also reported identifying serious vulnerabilities in products from Malwarebytes, Trend Micro, Kaspersky Lab, AVG, FireEye and Avast.

Related: Comodo Finds Misissued Certificates