3 Year Old Exploit Still Works against Avast Sandbox

Seems he has found another critical bug in the Avast "Safe Zone" browser, it has already been fixed by Avast though:

https://code.google.com/p/google-security-research/issues/detail?id=679

 

Has he already put SBIE to the test?

 

I haven't asked but if he had it'd probably be in his twitter feed which I follow and I haven't seen anything.

 

Perhaps you can contact him again.

 

Right now he's still deep in embarrassing Comodo products once I see that over I tweet again about sandboxie - send him a download link.

Tavis Ormandy ‏@taviso 11h11 hours ago
Having trouble encoding into language how colossal this Comodo screw-up is for my latest report. *facepalm* is not even close. #sigh

Tavis Ormandy ‏@taviso Feb 24
Lots of memory corruption in Comodo Antivirus. Many hilarious fails in their emulator. And of course, no ASLR and running as SYSTEM. #sigh

Tavis Ormandy ‏@taviso Feb 18
Comodo Internet Security installs a VNC server with predictable password by default. https://code.google.com/p/google-security-research/issues/detail?id=703… ¯\_(ツ)_/¯

597 retweets303 likes

 

https://vazermind.wordpress.com/2013/01/04/c-bypass-sandboxiesunbeltsb-sandboxvmware-by-modules/

[C++] Bypass (SandBoxie,SunBelt,SB SandBox,VMWARE) by Modules

SbieDll.dll => To Bypass SandBoxie

api_log.dll => To Bypass SunBelt

dir_watch.dll => To Bypass SunBelt SandBox

dbghelp.dll => To Bypass vmware

this is the little source code:

char* sModules[] = { “SbieDll.dll”, “api_log.dll”, “dir_watch.dll”, “dbghelp.dll”};//define module names

bool ModuleCheck() //Return TRUE/FALSE .
{
for( int i = 0; i < ( sizeof( sModules ) / sizeof( char* ) ); i++ ) //for looping to get the module handle .
{
if( GetModuleHandle( sModules[ i ] ) ) //getting module handle.
{
return TRUE;//if exists return TRUE .
}
}
return FALSE;//if not return FALSE.
}

 

Thats two years old, Sandboxie hasn't patched for that in the two years since?

 

yes.

 

Is this thread about Avast sandbox, Sandboxie or is it just an offtopic thread?

 

Does this exploit still works?

 

OK cool.

What does this exploit do exactly?

 

i dont consider this as a bypass, just a normal call to determine a handle
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683199(v=vs.85).aspx

it needs more substance to bypass such files - where is the rest?

 

Fixed in all products. If you execute example code then app crash immediately. Since there is no full source leaked it's unclear if that ever worked. SbieDll.dll was also changed from 2013 -> 2016 several times in meantime, same as api_log and dbghelp.

There are other anti-anti vm exploits which working and full source are leaked, but can't post over here because it's on illegal forums for $.

But I can give an example to detect Comodo sandbox (which still works) the easy way. The rest is dll injection in memory, I can't post here....