Both programs have been tested on Windows 7 64-bit with a fresh install of CIS and default settings. You need to have UAC disabled.
My original demonstration created a service, but according to egemen this is due to a simple bug. Whereas ComodoExploit1 uses the SCM to launch a program, ComodoExploit2 uses SAM to create a new user account. The program isn’t limited to creating user accounts, though - it could potentially delete all user accounts, assign privileges to users, etc. There is nothing clever involved here; it’s just some simple API calls. Instructions:
Open Control Panel → Administrative Tools → Computer Management → System Tools → Local Users and Groups → Users.
Verify that ComodoExploitAccount has been created.
Only works on Vista and 7.
Programs in Partially Limited mode are unable to modify Comodo’s files. This method seems to bypass this protection. The only problem with the method is that it is unable to open executable files, so I have picked “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat”. Instructions:
Make a backup of “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat” if necessary.
Open “C:\Program Files\Comodo\Comodo Internet Security\cfpver.dat” in Notepad and verify that it reads “This file has been overwritten by the exploit.”.
Restore the file if necessary.
EDIT: This method does actually work with executable files.
I wasn’t referring to myself, I was just wondering why you said “ya one is like trolling making people worry that they aren’t fully secure”. To me that statement implies that you think there are cases where exposing security vulnerabilities is “trolling”, which I just don’t agree with. 8)
first of all , I would like to thank wj32 for his efforts which are so clear and obvious. The least thing that I could do here is verifying the issue. So, here are the results for " proactive security mode , sandbox disabled " :-
ComodoExploit2 succeeded in creating the account.
for OpenFileAltMethod , I couldn’t verify anything since I have xp on my both real and virtual machines.
As strange as it might sound , Comodo will pass the first exploit with “limited restriction level of the sandbox” and will fail in proactive security mode ;D
I remember reporting something similar to that to egemen when the virus was able to change the Administrator account password , in case if it’s not password protected in the first place of course, and that was during the BETA stage.