Two more "bypasses" for Partially Limited sandbox

Both programs have been tested on Windows 7 64-bit with a fresh install of CIS and default settings. You need to have UAC disabled.


My original demonstration created a service, but according to egemen this is due to a simple bug. Whereas ComodoExploit1 uses the SCM to launch a program, ComodoExploit2 uses SAM to create a new user account. The program isn’t limited to creating user accounts, though - it could potentially delete all user accounts, assign privileges to users, etc. There is nothing clever involved here; it’s just some simple API calls. Instructions:

  1. Run TestPh-ComodoExploit2-x86/x64.exe.
  2. Open Control Panel → Administrative Tools → Computer Management → System Tools → Local Users and Groups → Users.
  3. Verify that ComodoExploitAccount has been created.
  4. Delete ComodoExploitAccount.


Only works on Vista and 7.

Programs in Partially Limited mode are unable to modify Comodo’s files. This method seems to bypass this protection. The only problem with the method is that it is unable to open executable files, so I have picked “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat”. Instructions:

  1. Make a backup of “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat” if necessary.
  2. Run TestPh-OpenFileAltMethod-x86/x64.exe.
  3. Open “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat” in Notepad and verify that it reads “This file has been overwritten by the exploit.”.
  4. Restore the file if necessary.

EDIT: This method does actually work with executable files.

PM me for the code.

[attachment deleted by admin]

are you doing all these exploits to prove that the sandbox can be bypassed or are you doing to help comodo improve their product?

Is there a difference?

ya one is like trolling making people worry that they aren’t fully secure and the other is just trying to actually help comodo by letting them know what they need to work on.

Wj32 is a respected member who has (Comodo) Security at heart. He has written several bug reports with regard to CIS. He’s one of the good guys… :slight_smile: 8)

ok good to hear. its just hard to know who to trust since there are always people on here saying bad stuff and trolling the forums.
sorry about that wj32 :slight_smile:

Right, exposing the truth is “trolling”. Besides the fact that the T-word is often mis-used, this attitude is the opposite of what people need to have in order to create secure systems.

its just hard to know who to trust since there are always people on here saying bad stuff and trolling the forums.

What “bad stuff” are you referring to?

like i said my mistake your just helping the comodo team to make cis the best it can be. its good that your here to help.

Actually, i appreciate his threads, he’s been really helpful finding weak points in CIS, which helps Comodo improve their suite. :-TU
Great Work Dudeeeeeeeee!!

I wasn’t referring to myself, I was just wondering why you said “ya one is like trolling making people worry that they aren’t fully secure”. To me that statement implies that you think there are cases where exposing security vulnerabilities is “trolling”, which I just don’t agree with. 8)

no i was refering to you telling us that you found more “bypasses” but i didnt realize that you would give the code till i reread the original post

Hahaha, it’s all fine dudes, we should relax now ;D

first of all , I would like to thank wj32 for his efforts which are so clear and obvious. The least thing that I could do here is verifying the issue. So, here are the results for " proactive security mode , sandbox disabled " :-

ComodoExploit2 succeeded in creating the account.

for OpenFileAltMethod , I couldn’t verify anything since I have xp on my both real and virtual machines.

As strange as it might sound , Comodo will pass the first exploit with “limited restriction level of the sandbox” and will fail in proactive security mode ;D

I remember reporting something similar to that to egemen when the virus was able to change the Administrator account password , in case if it’s not password protected in the first place of course, and that was during the BETA stage.

That’s because the Limited level filters the token of the process, disabling admin privileges. Nothing can beat built-in OS security. :slight_smile:

that exactly what I thought , thanks :slight_smile:

if you know how to make activex, you can kill Comodo with it via internet explorer… and uac off.
Internet explorer is a safe application and can kill comodo.

I doubt it. Are you sure there are any programs that are allowed to kill CIS processes?


yes, i remember killed Comodo v5 6 months ago
activex want run, you allow and comodo was killed

There was no CIS v5 six months ago… :wink: