Author Topic: GeekBuddy TightVNC http Port opened default on 5800 without request (vulnerable)  (Read 262 times)

Offline adambull

  • Newbie
  • *
  • Posts: 9
Dear Comodo Developers, (specifically GeekBuddy). This below letter concerns an issue that has been identified where a tcp port 5800 vnc-http is exposed without the user requesting support or having knowledge that the port is naturally by default exposed. This is a concern because unless a secondary hardware firewall exists (i.e segmented network with green and red zones) it may expose httpvnc 5800 tcp port to all comodo firewall users machines, that have geekbuddy, to the outside world. It is infinitely appreciated that Comodo Geekbuddy TightVNC may be hardened to abuse, however the author of the below letter is of the opinion that port 5800 tcp should only be opened as necessary as opposed to permanently by default and it was a surprising and distressing discovery to the author as you may come to understand from the below letter.

I would like to highlight something that is extremely important. I have been recommended here:  by one of the community moderators to bring my comments/concerns here where COMODO developers are more likely to see it.


Dear Comodo, and fellow security experts.

As a penetration tester and ethical hacker it has been a joy to use COMODO Internet Security in Safe Mode as it is extremely paranoid and blocks many known attacks.  I have used it for many joyful years.

HOWEVER:

Upon performing a port scan of my local machine with my Kali Penetration Testing Box I was really rather alarmed to see a port 5800 vnc-http tcp/open when performing an NMAP -Ss and NMAP -St scan from within my Green segment of my local network. In fact I was darn right frightened. Having full knowledge of all the services that run on my machine such a discovery is of course not taken well.

Indeed upon telnetting to the local machine with http-vnc 5800 lit up indeed tightvnc was responding, this was a service! JESUS were my initial impressions, obviously. Upon locally connecting in a browser localhost:5800 I am directed to a message "TIGHTVNC.COM"

root[at]kali:~# nmap -sS 192.168.0.100

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-12 02:30 BST
Nmap scan report for 192.168.0.100
Host is up (0.00020s latency).
Not shown: 986 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
5357/tcp  open  wsdapi
5800/tcp  open  vnc-http

Naturally, one may note that performing such a scan from within the GREEN zone of my network, this would be considered an almost minor absurdity. Were it not for the fact that the tightvnc service was installed by comodo internet security and this port opened without user knowledge. The concern is that to all users who do not possess an additional layer of security such as a hardware firewall or router then this port is left exposed to the outside world for anyone to connect unless they possess a segmented/zoned network. How could this happen? Have I been naive? Maybe, but it is not very good is it.

At the very least it was unclear that the Geekbuddy service installed a remote service that would open to all local connections immediately, and this concerns me greatly.

It's only by the stroke of luck that I had a SECOND hardware firewall between my Green and Red zone (that is to say my router and my local network hub) that port 5800 tcp was not directly exposed to the outside world, and whilst I completely appreciate that Geek Buddy is a remote assistance program that is used by comodo engineers to provide remote assistance to comodo users, I'm rather quite alarmed that the port is open and the service actively running on a permanent basis. Could this port not be opened upon the user requesting geekbuddy remote assistance? This would be infinitely more secure and would provide relief of unexpected fright for comodo users and sysadmins all over the world.

In fact it resembles a Back Door application. Which is what frightened me so greatly in the first place.

Surely something can be done about this, is it really necessary to leave that port exposed like that? Not what I would expect from a company such as COMODO who's motto is "Creating Trust Online".



I infinitely appreciate the fact that I may have been naive to not expect this opened by default, but I think you will find my point is also well made and that something should be done about this! No?

I am happy to say after removing the geek buddy in add/remove programs of my OS that the tcp 5800 http tcp port is no longer open. It would have however been nice to not have had this nasty surprise. Users and staff I am sure will be quick to correct me but I think my initial point DOES STAND!

Thank you for taking the time to read my letter and I hope it has been directed to the right place where proper attention can be given to it!

I certainly was not exposed to any kind of risk, however someone who is behind a router would be unhappy to see this port exposed and would naturally be frightened if not understanding what it is and this could be avoided by more clear message given when installing the Geek Buddy service as it were.

I can't help but mention the user is of course one part to blame, but if this could be avoided then it would be the naturally most secure and sensible routine to actually mention what is being done in this process. Albeit my personal and professional opinion I think it not an entirely unreasonable or disparate one!

Thank you!


Best Wishes,
Adam
« Last Edit: May 13, 2015, 05:10:26 AM by adambull »

Offline wasgij6

  • Volunteer Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4724
locked for double posting
| Win 8.1 Pro (x64) | UAC Disabled | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 16gb RAM | Samsung 840 Pro SSD |

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 683
    • Comodo Technical Support
locked for double posting

I'm unlocking this topic because a fellow moderator (EricJH) has asked the user to open this thread.

Adam: I have also sent an Internal email to the team responsible for this product. Thank you for your patience!

You've got a good point here although I don't think the port would be needed for handshake. I would like to ask you to post your request as a wish in the Geekbuddy release topic. Then you have much better chances a Comodo developer will see it.
I am not a developer or employee of Comodo. I'm just an end user with common sense who happens to wear a badge.

Offline adambull

  • Newbie
  • *
  • Posts: 9
Thank you very much.

Most of all I greatly appreciate that this will now reach someone in the Comodo Development team who can assess it more proactively than I can!

Thank you for listening to my concerns, I really do very much appreciate that

Best Wishes,
Adam
« Last Edit: May 13, 2015, 06:33:37 PM by adambull »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 21016
Sorry for possible confusion I may have caused. With hindsight I should have moved your topic to this board or have merged it with the release topic.

« Last Edit: May 13, 2015, 06:35:08 PM by EricJH »

Offline adambull

  • Newbie
  • *
  • Posts: 9
I'm sorry too. Thank you for clarifying

My best wishes,
Adam

Offline wasgij6

  • Volunteer Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4724
Oops my mistake i do apologize
| Win 8.1 Pro (x64) | UAC Disabled | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 16gb RAM | Samsung 840 Pro SSD |

Offline Alp Eren Kaplan

  • Comodo Browsers&GeekBuddy Product Manager
  • Moderator
  • Comodo Member
  • *****
  • Posts: 43
We will investigate this immediately. Thank you for the information all.


 

Seo4Smf 2.0 © SmfMod.Com Smf Destek