‘Security Kit’ of Comodo Installed a Lame VNC Server on PCs
Softpedia.com posted on February 19th, 2016, stating that Tavis Ormandy, security researcher of Google Project Zero, has found that one of the Comodo's tech support tools packed with several security products of the organization leaves it vulnerable to attackers, who gain administrator rights on the PC of the user.
The researcher further examined the issue, and found that a remote desktop tool known as GeekBuddy, which Comodo was bundling with its security software, was responsible for this problem.
Support staff use GeekBuddy, which is a remote desktop tool, to solve problems of customers, however it additionally serves as a secondary passage that allows almost unrestricted access to computers of users'. The tool installs with complete administrator privileges, which enables an attacker to very easily achieve full control of a remote PC. Anybody could gain access to the computer of user with this backdoor, in case the client was connected to the Internet. In the event that the PC was offline, anybody could do likewise from a local network.
Any common user who is logged-in or any software running on the system could seize the VNC password from the Windows Registry, and gain more privileges by connecting to the server. The password can be presumed by those who connect remotely because it is rather predictable, simple and short. Mainly, PCs were backdoored by the security suite.
In first iterations of GeekBuddy, the tool even did not have a password, which means anybody could simply connect to the PC of the victim with an IP:port combination. Thus, this problem was complained by the users, and hence in the after versions of GeekBuddy, a password was introduced. Ormandy revealed that the password is just the initial 8 characters of SHA1".
Comodo's software was earlier probed by Mr. Ormandy, when it found that the creator of the antivirus was also shipping an insecure Chromium browser version, which is dubbed internally as Chromodo. Mr. Ormandy is renowned for finding security issues in some prominent security organizations, such as Malwarebytes, AVG, Avast, FireEye, Trend Micro, and many others.
Comodo has turned out to clear up that just its support staff can connect to GeekBuddy through particular relay servers of company, which means remote attackers could not employ this flaw. However, malware which is as of now present in the system could use it to increase its privileges and acquire more intrusive capabilities.
» SPAMfighter News - 26-02-2016