Wutil bypass sandbox

The bug/issue

  1. What you did : i run wutil_runtimeloader.exe
  2. What actually happened or you actually saw : the hack is injected into war3.exe, sandboxed or not
  3. What you expected to happen or see : The fog of war removed (maphack)
  4. How you tried to fix it & what happened : Comodo can’t prevent this injection, sandboxed or not.
  5. If its an application compatibility problem have you tried the application fixes?: n/a
  6. Details (exact version) of any application involved with download link: Warcraft III ( Blizzard ) with patch 1.24e - http://ftp.blizzard.com/pub/war3/patches/pc/ + this exploit : http://www.mediafire.com/?deuns70fnd3gf6x
    [it cost 5euros in my country warcraft 3]
  7. Whether you can make the problem happen again, and if so exact steps to make it happen: Run as admin wutilruntimeloader.exe and the hack is injected
  8. Any other information (eg your guess regarding the cause, with reasons): N/A

Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug: N/A
  2. Screenshots of related event logs and the active processes list: N/A
  3. A CIS config report or file. default settings
  4. Crash or freeze dump file: N/A

Your set-up

  1. CIS version, AV database version & configuration used: default
  2. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?: n/a
  3. a) Have you imported a config from a previous version of CIS, if so b) have U tried a preset config?: N/A
  4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. ) it will changes nothing
  5. Defense+ and Sandbox OR Firewall security level: default
  6. OS version, service pack, no of bits, UAC setting, & account type:Windows 7 64bits UAC off
  7. Other security and utility software running: CIS 5
  8. Virtual machine used (Please do NOT use Virtual box): no.
    Note how to reproduce, make sure you havent uac, right click - run as administrator , comodo sandbox give 1 alert " this application is sandboxed ", and the cmd say : ’ sucess ’ the hack is correctly injected into war3.exe without any warning by comodo hips, thanks you for fixing it into futher version! (if you have real cd key, stay out of battle.net with this hack injected )

I have tried this on Windows 7 x64 with proactive config and sandbox disabled.
When I start the hack I get a warning that it wants to have debug privilegs and that it wants to inject code into war3.exe.

Maybe the problem is just related to internet security profile with sandbox enabled?
Are you sure that the code is really injected (Do you see enemy units in the fog of war?)?
Because the hack says even “success” if I block it to inject its code and the enemy is still not seeable.
Is war3.exe running in the sandbox? I guess sandboxed processes are able to inject code into each other.

Will try OA on x64.

[quote]Are you sure that the code is really injected (Do you see enemy units in the fog of war?)?
yes im sure, i can see unit in fog of war, war.exe is sandboxed
internet security mode

Will try OA on x64.

i tried, it give 2 warnings

edit : tyed with proactive mode, it is blocked (sandbox enabled )
issues with default settings
so, how injection can work low-level

What about running war.exe outside of the sandbox?
I think as long as sandboxed applications can’t influence applications outside it’s not a real “bypass”.

will try without war sandoxed

tried again, war.Exe is not sandboxed, wutil still inject… ( internet security mode )
edit : ok, can’t see units.

Many thanks for a detailed report in standard format

Could you please post screenshots of your active processes list (with the hack running) and defense plus logs (after hack has run).

How do you know that code is ‘injected’

Best wishes


PM sent

I’m sorry but we really do ned the information requested, or I will regrettably have to make this an orphaned report tomorrow.

Best wishes


Unfortunately we do need all the information we have asked for, if we are to forward it to verified issues.

For the moment I am going to move it to the Orphaned/Resolved child board. If you do manage to edit your post to add the information requested we will of course consider moving it to verified reports.

The devs only look at the Orphaned/Resolved board if they have time, so please do edit the post and PM an active mod if you want it fixed.

Best wishes and many thanks in anticipation