Security Support Tool Patched
Tuesday, February 23, 2016 @ 05:02 PM gHale
Comodo security products that bundle in a tech support tool had a vulnerability an attacker could leverage to elevate system privileges.
The software presenting the problem is GeekBuddy, a tool that allows Comodo’s tech support staff to remotely diagnose and repair computers. The software is a default application with Comodo Internet Security, Comodo Firewall and Comodo Antivirus.
GeekBuddy installs a VNC server on the system and enables it by default in order to allow support staff to remotely connect to a computer.
Google Project Zero researcher Tavis Ormandy discovered this server ends up protected by a weak password generated using the first eight characters of an SHA1 hash of a string comprised of several parameters related to the device’s disk.
An attacker with access to the system can generate a password, connect to the VNC and elevate their privileges. In addition, the vulnerability can escape sandboxes, including the ones of Comodo and its Chromodo browser, Chrome, and Internet Explorer (Protected Mode), Ormandy said.
“It feels like there might be a way to make this remote, perhaps via dns-rebinding and websockets,” Ormandy said in a blog post.
Comodo patched the vulnerability with the release of GeekBuddy 4.25.380415.167 on February 10, which the vendor said has already installed by more than 90 percent of users.