Hey there! I'm the researcher that found the RCE in Comodo! I didn't see this topic just until now. I want to fully break down about this (just for fun and to share techical details
)
- Comodo doesn't have any intergrity check whatsoever. That means threat actor can easily create fake update server. There are other defense mechanisms but can be bypassed to make a full chain attack.
- The 1 mechaism is binary signing. Comodo verifies ANY PE file. Funny enough, I just used powershell script to bypass this. That was hilarious.
- The connection is using HTTPS. However, update client of Comodo
ignore cert check. That means any HTTPS server with invalid certificate is accepted. In fact, Comodo has official changelog somewhere that said update started using HTTPS from 2020.
- The exploit is in LAN RCE. But since that's a Desktop Application, it's dangerous enough.
- Update client is also vulnerable to Arbitrary Command Execution (yes it executes commands from server) and Path Traversal. There are serveral ways to create a full chain attack. But the Command Execution is the most dangerous one because it executes command as a sub-process of cmdagent.exe, the service of Comodo. Ofc this one is trusted by Comodo.
- The other attack chains write file on disk. After that, executed payload runs under Comodo's sandbox. However, this so-called sandbox didn't prevent many post-exploit modules like gain NT-SYSTEM nor hashdump.
- There were no response from Comodo. After quick google search, there was a researcher found a vulnerability in Comodo and he didn't have any response either. The worst part is, I saw very misinformation comment on Comodo forum (cruelsister) and I tried register in Comodo forum. Comodo gave me 502 error everytime (lol).
- Comodo user can enable HIPS (AV) and anti-ARP Spoofing (Firewall). Both options are not enabled by default.
That was a huge disappoinment about Comodo, really. I really like Comodo when I started learning Cybersecurity.
