Correct. Incorrect. Sandboxie can fail in any way it is officially claimed to operate that can be exploited to circumvent the application's...
MarkedManner, here was the doc you couldn't reach:
The 2009 PoC had a payload that is caustic because it is a virtualized malware. In specific, it would reverse-mount the host OS's drive in raw...
No need to make a false dichotomy, Buster. I've repeatedly said we had a breakout against the sandboxie that was most current (3.34/3.36) at the...
You should clarify that, you're saying the words "actually" and "real", when I think you mean "current" and "most recent". I didn't claim we did...
Had it before I walked into this thread. I don't really see that as something to gain. You or Sandboxie should have something to lose, make it...
Re: Will I be allowed to prove it? Considering the exploit is from 2009, you'll need the 2009 environment we did it in too. Unless you're...
I'll agree to this. However, I think the stakes should be a little more equal. I'm fine with a permaban if I don't deliver, but what do I get that...
Re: Will I be allowed to prove it? What is the point of making a fake video? Don't worry, I'll show you what we did and how, we could probably...
I don't think we'll have any problem demonstrating that we did exactly that in April 09. That sounds delightful, and I look forward to it, Buster BSA.
Re: Will I be allowed to prove it? I appreciate the suggestion, but I doubt it will be a more fertile ground for intellectual or security...
Mr. 4 posts, I'm not an expert on sandboxing and virtualization, but i am an infosec expert and privacy expert. From what I can tell, Sandboxie is...
Serapis, please refrain from commenting before reading the thread. I said those were two new exploits discovered just this morning.
hpmnick, Should a website be able to destroy everything inside your sandbox? I'm not sure what what you find disingenuous about it, I didn't...
sbseven, Default-level security settings are usually the standard I test a specific software with, because that is what most users end up...
The responsible disclosure is the actual vulnerability, not the specific exploit, which changes with the weather. The vulnerability is that...
Serapis, We already did responsible disclosure to the vendor 2 years ago. And the main terms of the review were that everyone got to see the...
Re: Will I be allowed to prove it? Request granted. Peter contacted me, said he wanted the code, and specifically referenced BSA_Buster's...
Re: Will I be allowed to prove it? LowWaterMark, this was my exact comment to Peter. I told him it was too caustic to release publicly. He...
dw426, Mods should stay out of discussions, and definitely shouldn't be making accusations, because they speak with the authority of the forum....
Will I be allowed to prove it? Peter, I don't bluff, you should have accepted my terms to review the code privately, instead of publicly...
Which executable, the initial sandbox breakout or the payload? Presuming you mean the sandbox, the executable wasn't a direct executable, it was...
This entire subforum is entitled "sandboxing and virtualization", so clearly there is some inherent confusion that will occur, as many people...
We should be through the majority of the quality assurance work on Safehouse at the end of April, if I don't get to it sooner.
You're flying off the handle. This is a thread about studying malware in virtualized environments. We've got a PoC that breaks out of virtualized...
Separate names with a comma.
