Found Security Compromise in Sandboxie

Discussion in 'privacy technology' started by tonyseeking, Feb 1, 2009.

Thread Status:
Not open for further replies.
  1. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    I have found a security flaw and security compromise and breach in Sandboxie.

    When I run Sandboxie and then empty it (using Eraser as delete tool), it still leaves saved information OUTSIDE of the Sandboxie folder. Which means Sandboxie initially is WRITING data OUTSIDE of the Sandboxie Folder.

    I found it when I used CCleaner. Here is example:

    C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Recent\Horizon-14-Nighttime-2.mpeg.lnk 565 bytes

    That is one of MANY from a Sandboxie session. That is a small mpeg file I downloaded through Sandboxie, which I then asked to be saved to Desktop.

    So my question is.. WHY ON EARTH IS SANDBOXIE ALLOWING WRITING AND SAVING TO A PLACE ON THE HARD DRIVE OUTSIDE THE SANDBOXIE FOLDER?

    Why is it even writing anything into C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Recent\ when my Sandboxie folder is C:\Sandbox

    Anyone else know about this?

    I don't like filenames being written there, as anyone can see the file names of programs and mpeg movies that I have downloaded through Sandboxie session!!! POOR JOB SANDBOXIE :thumbd:

    Sorry for acting like a drama queen, but this is very disappointing.
     
    Last edited: Feb 1, 2009
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Well, this is a bit overly dramatic.

    First of all, if you're going to term it anything, it's a privacy issue, not a security compromise. Your title is on the inflamatory side.

    Since you saved the file..., it's a nonissue if you wish it to be (use an information neutral filename on the save....).

    Blue
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Aside from what Blue said, I did the following.

    1 Ran CCleaner and clean everything out.
    2.Downloaded a video, did nothing with it, and deleted the sandbox. Rerab CCleaner and there was no reference to the file.
    3.Re downloaded a move file and this time removed it from the sandbox. Played the file in a sandbox. Then deleted the sandbox. Reran CCleaner and yes there was a lnk to the file. This isn't a security leak as it can't harm your system. Not much of a privacy issue either since CCleaner removes it.

    4. Re downloaded the move file, and this time played it by running explorer in a sandbox. Then from that played the move. Then terminated and deleted the sandboxes. Reran CCleaner, and there was no reference to the file.

    So I don't see an issue with Sandboxie, but you may just need to learn how to use Sandboxie to do what you want.

    Pete
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Hmmm. I bet i could turn this into a security vulnerability. Windows filenames can actually be used as hacks. You can name a file a certain GUID and it suddenly has many interesting properties. good find.
     
  5. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Pete, that;s because running CCleaner cleans it out.. But Sandboxie doesn't have a "CCleaner" inbuilt, so if a person doesn't use CCleaner, then anyone can see what files are being downloaded. This is a privacy breach for sure and should be addressed as most users wouldn't even know that Sandboxie saves data or filenames OUTSIDE of the Sandbox. And that is wrong, because the main objective of Sandboxie is to only write WITHIN the Sandbox.. But as I have shown, things are written OUTSIDE the Sandbox!!!!
     
  6. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Thanks Steve :D

    Who writes Sandbox anyway? Because they should not call it Sandbox anymore, as not everything is done within the Sandbox :p
     
  7. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I've been saying this forever. that sandbox stuff isn't going to be secure.
     
  8. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    So what is the solution?
     
  9. Gizzy

    Gizzy Registered Member

    Joined:
    Oct 5, 2007
    Posts:
    149
    Location:
    NJ, USA
    Maybe I'm not understanding correctly but you said you saved it to your desktop, so you took it out of the sandbox?
     
  10. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    Sandboxie might not be a perfect solution, however, it is pretty darn good at what it does.

    @tonyseeking: Did you recover the file after downloading it?
     
  11. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Steve, it's Windows doing the writing no?

    tonyseeking, SBIE prevents things from inside the sandbox writing on the outside, it does not prevent programs outside the sandbox seeing what's going on inside. Windows is recording your last accessed file. It could be regarded as a privacy issue (related to Windows, not SandboxIE), but it is what it is, a feature.

    If i'm missing something please correct me.

    Got to go now. Cheers
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Here we go again with the panic and "this app is no longer good" crap. I don't mean any disrespect to the original poster or Steve, I'm just thinking this is getting ridiculous. As has been stated, it's a privacy issue at worst right now, and barely that. Run this by the folks at SandboxIEs' forum, and if it's something that needs looking into, it'll get taken care of by Tzuk asap.
     
  13. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    My thought on it is that it is that the software isn't designed for the purpose of privacy or anonymity or security or encryption aspects. It is designed to emulate the windows environment in a sub-environment, without virtualizing it. There would be many many many many ways to break out of that environment if one were so inclined. Therefore, don't use it for things it isn't designed for, like running evil code or where you need anonymity or privacy. Need to test your software? Fine. Need to control your cookies? Good. Need to be leakproof? Forget about it.
     
  14. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I agree with your statement of not being leakproof, but, really, what TRULY is leakproof and unbreakable? SandboxIE may not be the end all, be all of security, but, it has proven itself time and again against all these tests I've been complaining about, lol. Now that sure isn't to say that if someone is smart enough, they aren't going to break through it like melted butter, but so far, so good. The one thing I can say about the developer of it, is that this guy is on top of his game. If something DOES break through, he makes damn sure it doesn't happen again with that particular malware.

    It's a cat and mouse game, security has always been that way and always will.
     
  15. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Well I agree the privacy while surfing the web is not what is intended purpose is,Example a keylogger in side the box would capture key strokes,password,credit info and if its excuteable it can be set not to run in the box in the first place but then No exe does.However allowing excuteable to run such as trojans and rogue AV, I have never had any leak out to harm my HDD then where gone on termination and deletion.I do not see any problem with sanboxie as what its meant to do, its not Hips nor firewall.Its simply Isolation of internet facing apps from harm to the HDD.
     
  16. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Do you think that Windows is not aware of what you download to your desktop? Do yourself a favor and do the exact same steps - but do EVERYTHING sandboxed. Now look through your sandbox to the sandboxed "recent" folder and you will see the Lnk there as Sandboxie created it. It is Windows that created the other Lnk (and since you deleted the sandbox - it was a dead link). It was you that decided to make the task a 50-50 split with Windows and Sandboxie, by saving the file to your real desktop. And stop with the ALL CAPS and 4 exclamation points on every other word, you sound like a moron!!!!
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Have we not had our morning coffee yet? Lol ;) He just got overanxious on a small matter, like that doesn't happen here every day, lol.
     
  18. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Yeah, he is not writing like it is a small matter. Plus one more thing - if he didn't delete the sandbox and clicked that Lnk in the Recent folder, guess what!!!! It would have opened the file sandboxed. :rolleyes:
     
  19. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    But he didn't know that, did he? :) He panicked, no biggie, this is a panicky place, lol.
     
  20. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Sorry I don't see it, surely user not sandboxie.
     
  21. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    XB Machine?
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Actually, I'd bet not. Care to provide a specific example before whipping the assembled throng into a frenzy?

    However, why increase the histrionics? At the heart of things, this is a complete non-issue (via many paths) if the user wishes it to be.

    Blue
     
  23. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    So just simply running Ccleaner in an ordinary way will get rid of it?

    Here is what I am wondering. What would be left if the user did the same thing with Sandboxie while Returnil was running? I have read that Returnil leaves a dat file.
     
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    While i can understand you may have some angle, and i'd enjoy to read more, i don't see it as particularly relevant in this thread.
    The OP is clearly learning how SandboxIE (and Windows) works, alarming him with theory isn't going to help him - no matter how practical that theory may be. It's just going to confuse him i think.
     
  25. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Excellent point.There's a long list of supposed vulnerabilities and 'easy ways to bypass' SandboxIE yet a strangely few real examples of malware proven to do so.:rolleyes:As dw426 stated there's little time for anyone to even attempt this feat due to the constant development of the product,the guy never sleeps!
    As for the whole keylogger 'issue' simple just run a secured browser sandboxed not a naked IE.
     
    Last edited: Feb 2, 2009
Loading...
Thread Status:
Not open for further replies.