Seeing as someone bypassed the sandbox, I decided to do some investigation as well. So here is my own exploit. Instructions:
It works on 32-bit Windows XP. It might work on Vista and 7, if UAC is disabled. Tested in VM, fresh install of CIS (“Proactive Security”) with everything at defaults (D+ at Safe Mode, Sandbox enabled, etc.)
Run TestPh-ComodoExploit1.exe.
Do not close the message box that pops up.
Verify that TestPh-ComodoExploit1.exe is running as NT AUTHORITY\SYSTEM in Task Manager.
Close the message box.
The reason this exploit works is because of our old friend, user-mode hooking. Apparently people still don’t get the message - user-mode hooking can always be passed.
I’m not going to put the code here this time because I may cause a certain moderator to get angry. PM me if you want the code.
Not in general, user-mode hooking can always be bypassed. There are only two ways to protect against this particular method:
Don’t use Windows XP (or don’t use an admin account), and don’t turn UAC off.
D+ could hook functions inside services.exe. This would require knowledge of the internal workings of the SCM though, and compatibility would be a huge issue.
In general any program that runs at an elevated privilege level and exposes an API can be a vulnerability. Everyone involved needs to be security-conscious.
if not then why dont more malware writers use this method?
No, this method works on all 32-bit and 64-bit systems. My test program only works on 32-bit systems and I’ve only tested it on XP (although it should work on Vista and 7). I say “don’t use Windows XP” because XP doesn’t have UAC.
ok i get what your saying. it would be nice if comodo could protect against this. i dont like using uac but if it comes down to it i might have to if malware starts using this method
This example fails when “treat unrecognized files as” is raised above the default; I wonder whether doing this actually increases protection against user-mode attacks or just happens to break your particular implementation…
Either way it’s one more reason for people to abandon XP and leave UAC enabled.
When you set it to something higher than Partially Limited it also filters the token of the process, effectively disabling admin privileges. One “lesson” here is that the sandbox is not really that useful. Just leave UAC on.
See above. You need to be using Partially Limited mode and an admin account.
Not sure if you want to investigate any further, but this is impossible unless there’s something I’m missing here. Can you please check the token of TestPh-ComodoExploit1.exe (the Security/Token tab in process properties) using Process Explorer/Hacker and give me a screenshot?
PM me if you want the code.