Comodo: From .Git to Takeover

Understanding Comodo Security Solutions, Inc.

Comodo Security Solutions, Inc., headquartered in Clifton, New Jersey, USA, is a leading cybersecurity company. known for its certificate authority operations, Comodo issues SSL certificates and delivers comprehensive information security products tailored for enterprises and consumers alike. The company has also made significant contributions to standard-setting efforts, including the Internet Engineering Task Force (IETF) DNS Certification Authority Authorization (CAA) Resource Record.

Vulnerability Analysis: Git Source Code Exposure

What is Git Source Code Exposure Vulnerability?

Git Source Code Exposure Vulnerability arises when an application fails to safeguard sensitive data embedded within its source code, such as intellectual property, database passwords, and secret keys. This vulnerability typically results from web server misconfigurations or typographical errors in scripts, such as granting executable permissions to certain directories or scripts. One common method of exploitation involves an exposed .git folder on the web server.

Risks of an Exposed Git Folder

When a .git folder is deployed along with a web application, attackers can exploit this misconfiguration to download the entire source code, including sensitive data. This vulnerability poses significant risks, as it can lead to intellectual property theft and unauthorized access to critical information.

Case Study: Comodo Forum Vulnerability

The vulnerability, now remediated, was identified on the Comodo Forum domain:

https://forums.comodo.com/.git/config

The Comodo Forum serves as a platform for support, updates, and interactions between regular users, clients and Comodo support staff and volunteers. Given the forum’s role, the exposure of sensitive data even on a subdomain could have critical implications. An attacker exploiting this .git folder could have potentially downloaded the complete source code of Comodo’s Forum, and do a lot more! posing a substantial security threat.

Comodo Forum Source Code (was not saved and was removed after the report for Comodo security team!)

Exploitation Details

During the analysis, it was discovered that an unauthorized shell had been inadvertently left within the exposed files. This oversight allowed for a rapid escalation of the attack. Leveraging the shell, I was able to create new files and gain comprehensive access to the forum’s system. This access extended beyond the initial data obtained via the .git folder vulnerability, providing up-to-date information, including current database details.

Connected to the database (POC):

for security reasons, I have to hide most of the data from the screenshots.

Again for clarification, nothing has been saved! and all information has been sent to Comodo security team

With all these options in the hands of a black hat hacker, this is a full takeover of their forum system!

Conclusion:

An attacker could of :

Download — Download everything including the database.
Remove files — Remove everything including the database.
Add & Edit files — an attacker could edit and insert to an existing page for example the index page a malicious file or code to infect Comodo’s clients, users, and employees.
and a lot more.

How to fix it?

Very simple in this case, before and after deploying your code always check for hidden files and folders, usually on servers because there is a dot before the .Git the folder becomes hidden. Yes, that's simple but many don’t check it until it’s too late.

Notes & information:

I hope you enjoyed reading and learning, Usually, I write articles/blogs once in a while, and not that often.

Nothing from the next examples has been downloaded and if so nothing has been saved, all have been screenshotted for the Security team of Comodo, which has not replied to any of my reports but all have been fixed a couple of hours/days after my reports, all of the shells were reported to Comodo.

But ! because I do not know for sure how the ‘not-that-good’ shell was uploaded to the server in the first place there is a significant risk until Comodo’s security team will take care of it!

The vulnerabilities has been fixed a couple of hours after my reports and some after a couple of days and a lot of urgent emails from me, but again Comodo Security team does not answer any emails, or tickets right away, and sometimes can take a couple of months or not at all.