3 Year Old Exploit Still Works against Avast Sandbox

Discussion in 'other anti-virus software' started by AutoCascade, Jan 20, 2016.

  1. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Interesting stuff, let's hope that this guy will also put SBIE to the test.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    They have really started testing AV software at Project Zero. They've already disclosed vulnerabilities in software from different vendors. Good news for users :thumb:
     
  4. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    I asked him in a tweet and will post his response.

    I'd love to get his opinion on the sandbox in a sandbox debate.
     
  5. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Yeah this is absolutely great stuff for users and vendors too.
     
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    I ran it by him and he responded



    Tavis Ormandy
    @taviso
    Jan 20

    @TenaciousJim No, is it popular? I'll add it to the list of things to look at.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Testing SBIE? That would be great. Just don't direct him to a thread about sandboxing Chrome :)
     
  8. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    No I didn't mention that!
     
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Well supposedly it doesn't work any more; the OP link indicates that Avast fixed it as of ~11 hours ago...

    I wonder what other sandboxes this attack will break out of, though. It looks fairly versatile:

    https://www.rapid7.com/db/modules/exploit/windows/local/ms13_005_hwnd_broadcast

    Also worth noting that It shoudn't apply to SBIE at this point, since the latter is a frontend for Windows integrity levels. However, it might apply to a lot of popular HIPS and AV software - not just stuff that bills itself as a "sandbox."

    ... I think I will try to reproduce this with some other AV suites, on a Win7 VM. With luck I should have the VM set up completed by tomorrow. Win7 unfortunately takes FOREVER to update, especially on virtual hardware.

    [Edit: actually I may have things set up sooner, thanks to Microsoft's Modern.IE virtual machines.]

    BTW: am I the only one who thinks this looks a lot like "shatter attacks" on Windows 2000/XP/2003?
     
    Last edited: Jan 20, 2016
  10. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Any info on Comodo's sandbox tech and how reliable it is?
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Hmm.... I'm having trouble getting the initial reverse TCP stage to run in the Comodo sandbox at all. The setup seems a bit on the fragile side; lots of stuff can go wrong and make it not work.

    I think I'll have a go at combining the hwnd broadcast and reverse TCP stages in one executable.

    Edit: something is wrong with my setup, the EXE is not making outbound connections even when run outside a sandbox. Whatever.

    Edit 2: that was rather involved, but I managed it.

    Edit 3: Looks like Comodo is not vulnerable.
     
    Last edited: Jan 21, 2016
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    This was not patched with latest updates?
    Here is a comment:
    It was reported on December 2nd 2015, so 90 days have not elapsed yet. I doubt that they would release it to public without patching it first. Am I reading something wrong?
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I am interpreting the Google posted comments to mean, it was fix in Chrome but not Chromium? Hence, it's status is still unfixed.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Sounds cool, Invincea has said that bug/bounty hunters are already putting SBIE to the test, and so far haven't found anything serious, so let's see if Ormandy can find any high risk bugs.

    There's nothing special about a sandbox in a sandbox, as long as at least one of them is keeping the system safe.
     
  16. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    I agree but there is that long running thread in the sandbox forum.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, and everything has already been said about that subject, I don't know why that thread is still active. What Tavis Ormandy does, is looking for holes in individual applications. He's not going to try to figure out if it's easier to hack Chrome when running sandboxed or not. That hardly has any value.
     
  18. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    No argument there.
     
  19. LOL may be because you posted in that thread today at 12.32 :argh:
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I know you meant this in a funny way, but that post was meant to be a wake up call, because some seem to forget what that topic was all about. And perhaps even worse, it seems that some want to start the original discussion all over again. Come on now, enough is enough. :D
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    And besides, Bromium has already proofed that you can hack both Chrome and SBIE with the exact same (perhaps slightly modified) kernel exploits. No matter if Chrome was running sandboxed or not.
     
  22. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    https://twitter.com/taviso/status/690335891366158336

    Doesn't seem good.
     
  23. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Thankfully I run Chrome in Linux and the sandbox is much stronger there than in the windows implementation.
     
  24. hjlbx

    hjlbx Guest

  25. The way Comodo develops software (often have to retract software due to quality/testing isues), they are an easy prey. The "can you look at my issue (a priveledge escalation) of another tweet/reserchter is really hilarious.

    @Mods, it seems that Google crew is testing some other sandboxes, to market their implementation. So either change the title of this thread to "Tavis Ormandy testing other sandboxes" or allow discussion on other sandbox implementations as Google discloses their weaknesses.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.