Sandboxie bypassed

Potential bypass (add user account)

"This PoC seems to be able to add an user account despite it being run in sandboxie. Closing the application and deleting the SB contents doesn't delete the account."

-http://ssj100.fullsubject.com/t370-sandboxie-bypassed

 

Apparently this POC does not work on XP but bypasses if one is on Vista or Windows 7.
Also discussed here..........
http://www.sandboxie.com/phpbb/viewtopic.php?t=9812

 

Also doesnt work if UAC is enabled or drop my rights within SandboxIE are enabled. Running with dropped rights in SandboxIE is a pretty fundamental concept.

 

Also does not work in a limited user account. Another fundamental concept that many don't want to accept.

 

Unfortunately.

Anyway, this is nothing that concerns me. I'm more concerned with what is undisclosed, but that would be for another topic.

 

True, no need to be at all, but this might trigger some Sandboxie doomsday propaganda fud.

 

What if you have limited rights enabled, only what you want having internet/running privileges? Can it get past that?

 

Yes, but I do understand their concern. It seems it is needed have administrator rights for such thing to happen, but we are, primarily, speaking of an application supposed to keep whatever changes happen to the system within the sandbox. After we're done, dispose it. This should happen regardless of what account we're using.

The same situation seems to have been reported before, regarding some application. -http://sandboxie.com/phpbb/viewtopic.php?t=9456

It went unnoticed, though.

The reason I mention I'm not concerned, is that the use of sandboxes, be it automated ones or having to be set by the user, are not a complete reality, yet. But, a new scenario is emerging. I don't follow every security application, but from what I see others mention, COMODO has a sandbox, AVAST is on its way of introducing one in avast! 6 as well. This will eventually become a new mechanism for attackers to bypass and search for flaws.

I've always been from the opinion that Sandboxie does have its flaws; it's a piece of software, and they all have flaws. The only reassurance is that sandboxes, and in this case Sandboxie, is not widely used.

But, have no doubts that once sandboxes use becomes a daily reality in most users lives, we'll see more bypasses emerging.

And, originally the author of this PoC was not even aiming at Sandboxie, but COMODO.

So, while I agree that "this might trigger some Sandboxie doomsday propaganda fud", as you put it, would you think the same if sandboxes were a reality to most people? Or, would you be concerned?

 

Win 7 full blown admin - no UAC and Sandboxie does what I tell it to do.

 

Hello Franklin

Fair enough. But, what I had in mind when I wrote my previous post was a situation where a user would deliberately run a file inside a sandbox, without any restrictions, for whatever reason made the person run it that way, but always having in mind any modification would be disposed when deleting the sandbox.

Should you face yourself in such situation (just a hypothetical situation), wouldn't you end up with something outside the sandbox, when it was supposed to be deleted when disposing it? If you think about it, Sandboxie (the application I care about; but, the same seems to, at least, apply to COMODO's sandbox) fails to do that job - dispose any changes when the user deletes the sandbox.

Anyway, this is not a real concern, IMO. Sandboxes are not massively used, so... But, when they come to be, I believe one should look differently at what a sandboxing application is and what is not. What is not, that's easy: infallible.

 

But then again there are the people that need to wake up and realize that Sandboxie isn't perfect. In specific, the people that seem to find giggles out of downloading malware and executing it in a live enviroment only protected by Sandboxie.

If this was all you needed to stay protected, you'd think all AV companies would have a copy of Sandboxie for malware analysis.

 

I agree with that, although I think those purposefully initiating malware in a sandbox probably don't fall into a "typical" category.

But as you suggest, sandboxing isn't perfect. To rely 100% on it can be done, if you have a well laid out plan. To simply install it, and use it "as is" and assume you are problem free is also possible, but could easily lead to many issues.

I personally think that a tool like Sandboxie, when it is understood and configured properly for job at hand, is as close to "secure" as on can get from one product, but only if it is used in a manner that supports the underlying philosophy. Of all the products I have used, except for uber HIPS where any/everything is questioned, Sandboxie can be for me the one 3rd party tool that truly does offer more than any other - but again, only because I have implemented it in a very specific way.

Sul.

 

Sandboxie isn't perfect. Windows isn't perfect. Too much things aren't indeed.

It's very good... People like to have dislikes...

For who that likes the good things, there are very good things always. E.g.: Windows and SandboxIE...

 

Yes, and I did run the sample in a default box where the Comodo user account was created but it was gone on reboot thanks to my second layer full system virtualisation.

So what have we really got here, a third obscure bypass of Sandboxie in several years and yet again some want to make an Everest outta it.

Seems the witch hunters won't be happy till the m00n turns red with bl00d! LOL

 

It may be obscure to you, but what about others who aren't even aware of other "second layer full system virtualisation"?

So, it was one other security layer that you have implemented saving the day? I guess we can thank for the existence of such tools?

I guess it depends on whom is climbing the Everest. I remember a guy who did, and ended up having to cut his fingers. Burnt by the extreme cold.

Nice one!

 

Nicely put. Frankilin has proven over and over again, sadly to little avail, that Sandboxie ultimately performs gracefully when put through the ringer, especially more so if people simply realize a little effort and common sense on their part to supplement its effectiveness (this applies to any security setup) should be enough to completely avoid any malware infestation. Hopefully no one's expecting it to hold their hand throughout the process. Think about it for a moment, why on earth would you open some obscure macro or executable in the real system without first verifying its source, and at least in the event of an oversight all you need is a backup/restore procedure in place or rollback that Franklin uses and you've got practically nothing to worry about.

Whoa, clever

 

A fix for this issue will be soon released by tzuk...

http://www.sandboxie.com/phpbb/viewtopic.php?p=63871#63871

 

Already fixed and confirmed here.

For those who wish to beta test Sandboxie 3.53 here is build 1.

 

thanks nanana1

 

While this advice might work for the general user out there browsing the web. Some can't accept it. For example i'm a developer and i run to many things that require admin privledges (IIS for example). Running under a user account is impossible for me but uac basically does the trick just as long as you analyze why uac is coming up rather than blindly clicking yes.