Create your own Sandbox (e.g. under x64) [Kees1958]

Discussion in 'other security issues & news' started by m00nbl00d, Sep 12, 2010.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    This is regarding this thread (https://www.wilderssecurity.com/showthread.php?t=262184).

    I can't post there, because it's considered an old thread.

    Kees, one doubt. How did you manage to make Iron to work 100% under a different user credentials?

    I could never do it, because of Chromium's sandbox (Iron is based on Chromium, as you know.).

    I tested with Google Chrome (both regular and enterprise installer) and Iron as well. They all fail to run. They load, but is impossible to work with them. And, I wasn't even blocking what you were blocking. I was following a different approach, but since I could achieve it, I searched and found that the problem relates with the browser's sandbox.

    Did you actually fully test it, using the very restricted standard user account? How so?
    Others are having the same problem, and according to Google developers, it's because of the way the browser's sandbox works.
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I might have a go with this approach this winter. Time, never enough time.

    Speaking of sandboxes, does anyone else but me think that chrome does not sandbox, but only reduce rights and segregate processes/jobs/threads? I don't see how they label it a sandbox when it is not contained within the box of sand. Because the handler runs at higher IL, you can effect the real system.

    Sandboxie or virtual machines are what I call sandboxes. They operate above the OS and unless you desire, don't interact with the real OS at all, only within the confines of thier box of sand.

    Sul.
     
  3. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    I haven't tried chrome or iron but to sandbox the way Sandboxie does, it has to have a driver to intercept all writes into a sandbox. I don't think Chromium has its own driver/s.
     
    Last edited: Sep 13, 2010
  4. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Why reinvent the wheel? Chromium comes with a highly effective sandbox already. If you have examples of this sandbox being bypassed, please post them.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The idea behind Kees1958 approach is to have a clean state of that very restricted user account.

    The problem is: This approach, using Chromium, or any other browser based on this one, does not work! It simply doesn't. Due to Chromium's own sandbox (and browsers based on this, as well).

    I have no idea how Kees managed to make it work... or if he didn't fully test it.

    Would be great for Kees1958 to share his thoughs on this issue.

    I've seen a similar (which I believe Kees1958 approach is based) by Joanna, but even her guide, which she used Firefox, is flawed. Her PsExec tool commands are wrong.
    Both approaches work, but not with Chromium. First, I thought it was because Kees approach was a bit more restrictive, but after some testing and digging, I found is due Chromium/based browser sandbox.

    With Opera, it also won't work, if one sets Opera with a Low IL. Opera won't be able to access user profile 100%, even with the profile set with Low IL well.

    Internet Explorer works just fine.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Oh that was some time ago. Indeed Joanna insprired me, but the Psexec commands did not work. I had it set up and as far as I can recal I managed to start a google search. I did copy the Chrome install on my regular user to the LUA user with ACL restrictions (I even copied mu Chrome user files). I also tried her e-mail containment version.

    There was an issue, which I had to tackle: don't use the -l and -e argument of PSexec as far as I can remember.
    Also I did not use Low rights, just the medium level LUA. Could you try with medium rights? Chrome indeed does not run under restricted user or Low rights, since it assigns itself a restricted SID to its process. Also Chrome (installer pack) and Iron are changed. In the past you needed to exclude dll files from the SRP, nowadays Iron works with dll's included. It is to long ago (I changed my play PC from XP Pro to Vista business), to reload an old image. What I do remember, that it took me quite some time before I had it working (since Joanna's guide was flawed), I honestly think I had it working (I only post tested results) but after a lot of hours grinding your teeth in some stuff, It could well be possible that I fooled myself (believing it worked).
     
    Last edited: Sep 14, 2010
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I tested with Chromium, Chrome (both standard and enterprise installer) and Iron, but they all failed.
    Actually, to be able to start either Chrome (standard installer) or Chromium, since they don't install at system level (%PROGRAMFILES%), I needed to first start session with the second standard user account, then start Chromium.

    If I well remember (I tested like a month ago, and will re-test it, to see if same behavior occurs), Chromium actually managed to run without any errors, but not sure. Obviously, having to logon into both accounts makes lose a few more seconds, but it was a workaround (If my memory still serves me right, that is.).

    It may have fooled me as well, though! :D I'll re-test it, for sure.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Because I was working on my son's vista x64 I had to deliver it clean, so it was getting very late and it could well be that I fooled myself (with two identical Chrome user configs on the 2 user id's). If so sorry for your lost time ;)

    I prefer to work with Google from google pack or Iron, because they install in the Program Files directory. As said I can remember not to use teh -l and -e switch and that I had to copy teh Chrome user config to the clean state LUA account.
     
Loading...
Thread Status:
Not open for further replies.