Seeing as someone bypassed the sandbox, I decided to do some investigation as well. So here is my own exploit. Instructions:
It works on 32-bit Windows XP. It might work on Vista and 7, if UAC is disabled. Tested in VM, fresh install of CIS (“Proactive Security”) with everything at defaults (D+ at Safe Mode, Sandbox enabled, etc.)
Do not close the message box that pops up.
Verify that TestPh-ComodoExploit1.exe is running as NT AUTHORITY\SYSTEM in Task Manager.
Close the message box.
The reason this exploit works is because of our old friend, user-mode hooking. Apparently people still don’t get the message - user-mode hooking can always be passed.
I’m not going to put the code here this time because I may cause a certain moderator to get angry. PM me if you want the code.
No, this method works on all 32-bit and 64-bit systems. My test program only works on 32-bit systems and I’ve only tested it on XP (although it should work on Vista and 7). I say “don’t use Windows XP” because XP doesn’t have UAC.
This example fails when “treat unrecognized files as” is raised above the default; I wonder whether doing this actually increases protection against user-mode attacks or just happens to break your particular implementation…
Either way it’s one more reason for people to abandon XP and leave UAC enabled.
When you set it to something higher than Partially Limited it also filters the token of the process, effectively disabling admin privileges. One “lesson” here is that the sandbox is not really that useful. Just leave UAC on.
See above. You need to be using Partially Limited mode and an admin account.
Not sure if you want to investigate any further, but this is impossible unless there’s something I’m missing here. Can you please check the token of TestPh-ComodoExploit1.exe (the Security/Token tab in process properties) using Process Explorer/Hacker and give me a screenshot?