Both programs have been tested on Windows 7 64-bit with a fresh install of CIS and default settings. You need to have UAC disabled.
ComodoExploit2
My original demonstration created a service, but according to egemen this is due to a simple bug. Whereas ComodoExploit1 uses the SCM to launch a program, ComodoExploit2 uses SAM to create a new user account. The program isn’t limited to creating user accounts, though - it could potentially delete all user accounts, assign privileges to users, etc. There is nothing clever involved here; it’s just some simple API calls. Instructions:
Run TestPh-ComodoExploit2-x86/x64.exe.
Open Control Panel → Administrative Tools → Computer Management → System Tools → Local Users and Groups → Users.
Verify that ComodoExploitAccount has been created.
Delete ComodoExploitAccount.
OpenFileAltMethod
Only works on Vista and 7.
Programs in Partially Limited mode are unable to modify Comodo’s files. This method seems to bypass this protection. The only problem with the method is that it is unable to open executable files, so I have picked “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat”. Instructions:
Make a backup of “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat” if necessary.
Run TestPh-OpenFileAltMethod-x86/x64.exe.
Open “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat” in Notepad and verify that it reads “This file has been overwritten by the exploit.”.
Restore the file if necessary.
EDIT: This method does actually work with executable files.
ya one is like trolling making people worry that they aren’t fully secure and the other is just trying to actually help comodo by letting them know what they need to work on.
ok good to hear. its just hard to know who to trust since there are always people on here saying bad stuff and trolling the forums.
sorry about that wj32
Right, exposing the truth is “trolling”. Besides the fact that the T-word is often mis-used, this attitude is the opposite of what people need to have in order to create secure systems.
its just hard to know who to trust since there are always people on here saying bad stuff and trolling the forums.
Actually, i appreciate his threads, he’s been really helpful finding weak points in CIS, which helps Comodo improve their suite. :-TU
Great Work Dudeeeeeeeee!!
I wasn’t referring to myself, I was just wondering why you said “ya one is like trolling making people worry that they aren’t fully secure”. To me that statement implies that you think there are cases where exposing security vulnerabilities is “trolling”, which I just don’t agree with. 8)
first of all , I would like to thank wj32 for his efforts which are so clear and obvious. The least thing that I could do here is verifying the issue. So, here are the results for " proactive security mode , sandbox disabled " :-
ComodoExploit2 succeeded in creating the account.
for OpenFileAltMethod , I couldn’t verify anything since I have xp on my both real and virtual machines.
As strange as it might sound , Comodo will pass the first exploit with “limited restriction level of the sandbox” and will fail in proactive security mode ;D
I remember reporting something similar to that to egemen when the virus was able to change the Administrator account password , in case if it’s not password protected in the first place of course, and that was during the BETA stage.
if you know how to make activex, you can kill Comodo with it via internet explorer… and uac off.
Internet explorer is a safe application and can kill comodo.
8)