Comodo: From .Git to Takeover
First, let’s start with what is Comodo?
Comodo Security Solutions, Inc. is a cybersecurity company headquartered in Clifton, New Jersey in the United States.
The firm operates a certificate authority that issues SSL certificates and offers information security products for both enterprises and consumers.
The company also helped on setting standards by contributing to the IETF (Internet Engineering Task Force) DNS Certification Authority Authorization (CAA) Resource Record. “Wikipedia”
First Vulnerability - GIT Source Code Exposure Vulnerability
But first what is GIT Source Code Exposure Vulnerability? Source Code exposure vulnerability is when your application cannot protect your sensitive data like intellectual property built into the code, database passwords, secret keys, etc. It usually occurs due to web server misconfigurations or typographical errors in your scripts, like granting executable permissions to specific directories or scripts. Another way to find this was by exploiting the .git folder that was exposed to the webserver. “ioSENTRIX”
Risk of exposed Git folder
When a .Git folder is deployed along with the web application, the attacker could exploit this misconfiguration to download the entire source code along with other sensitive data as explained above.
Now that we understand…
The vulnerability has been fixed so I can show you the full URL
https://forums.comodo.com/.git/config
This domain is the domain of Comodo Forum, Comodo forum is used for
Support, updates, and more from regular users and from Comodo Support
employees and volunteers, therefore the data can be very sensitive if
exposed even if it is not the main domain of the company.
With this .GIT folder an attacker could download the full source code of
Comodo’s Forum:
Within those files I noticed that someone left accidentally a Shell and from there the steps to full takeover were short, I was able to create a file and then see the full system of this forum that I already had with the .git folder vulnerability but with more updated information, for example, an updated databases details:
Connected to the database (POC):
for security reasons, I have to hide most of the data from the screenshots.
With all these options in the hands of a black hat hacker, this is a full takeover of their forum system!
Conclusion:
An attacker could of :
Download — Download everything including the database.
Remove files — Remove everything including the database.
Add & Edit files — an attacker could edit and insert to an existing page for example the index page a malicious file or code to infect Comodo’s clients, users, and employees.
and a lot more.
How to fix it?
Very simple in this case, before and after deploying your code always check for hidden files and folders, usually on servers because there is a dot before the .Git the folder becomes hidden. Yes, that's simple but many don’t check it until it’s too late.
Notes & information:
I hope you enjoyed reading and learning, Usually, I write articles/blogs once in a while, and not that often.
Nothing from the next examples has been downloaded and if so nothing has been saved, all have been screenshotted for the Security team of Comodo, which has not replied to any of my reports but all have been fixed a couple of hours/days after my reports, all of the shells were reported to Comodo.
But ! because I do not know for sure how the ‘not-that-good’ shell was uploaded to the server in the first place there is a significant risk until Comodo’s security team will take care of it!
The vulnerabilities has been fixed a couple of hours after my reports and some after a couple of days and a lot of urgent emails from me, but again Comodo Security team does not answer any emails, or tickets right away, and sometimes can take a couple of months or not at all.
