Connect with us

Hi, what are you looking for?



Comodo Support Tool Allowed Attackers to Elevate Privileges

A tech support tool bundled with Comodo security products was plagued by a vulnerability that could have been exploited by a local attacker to elevate their privileges on the system.

A tech support tool bundled with Comodo security products was plagued by a vulnerability that could have been exploited by a local attacker to elevate their privileges on the system.

The problematic software is GeekBuddy, a tool that allows Comodo’s tech support staff to remotely diagnose and repair computers. The application is installed by default with Comodo Internet Security, Comodo Firewall and Comodo Antivirus.

In order to allow support staff to remotely connect to a computer, GeekBuddy installs a VNC server on the system and enables it by default. Google Project Zero researcher Tavis Ormandy discovered that this server is protected by a weak password generated using the first eight characters of an SHA1 hash of a string comprised of several parameters related to the device’s disk.

An attacker with access to the system can generate a password, connect to the VNC and elevate their privileges. Furthermore, the vulnerability can be exploited to escape sandboxes, including the ones of Comodo and its Chromodo browser, Chrome, and Internet Explorer (Protected Mode), Ormandy said.

“It feels like there might be a way to make this remote, perhaps via dns-rebinding and websockets,” the expert noted in his advisory.

This is not an entirely new issue. A researcher informed Comodo in 2014 that the GeekBuddy VNC could be accessed without a password, and Comodo later updated the tool to address the bug. However, as Ormandy has demonstrated, adding a password that can be easily guessed hasn’t properly resolved the flaw.

Comodo has now once again attempted to patch the vulnerability with the release of GeekBuddy 4.25.380415.167 on February 10, which the vendor says has already been installed by more than 90 percent of users.

In a blog post published after the details of the flaw were disclosed by Ormandy, Comodo pointed out that the security hole, which it rates as a “minor potential vulnerability,” cannot be leveraged by a remote attacker to connect to a machine via GeekBuddy, and it cannot be exploited remotely.

Advertisement. Scroll to continue reading.

“First and foremost, GeekBuddy does NOT open any ports and does not accept any incoming connections. Only Comodo technical support, during specific support sessions, can connect and this connection is established through Comodo relay servers, not from a local network or from the internet,” explained Comodo’s senior vice president of engineering, Egemen Tas.

“Second, the vulnerability reported has nothing to do with accessing a VNC server remotely, but using a VNC server to obtain another user’s privilege level — if you have access to the same PC and know the details of the password generation algorithm,” Tas added.

This is not the first security flaw found by Ormandy in a Comodo product. Earlier this month, the expert reported that the company’s Chromium-based Chromodo web browser disabled the same origin policy (SOP), effectively turning off all web security.

Over the past months, Ormandy also reported identifying serious vulnerabilities in products from MalwarebytesTrend MicroKaspersky Lab, AVG, FireEye and Avast.

Related: Comodo Finds Misissued Certificates

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights