is this a hole in sandboxie?

Discussion in 'sandboxing & virtualization' started by Konata Izumi, Sep 30, 2011.

Thread Status:
Not open for further replies.
  1. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I forced my D:\ partition to run sandboxed.

    I created a folder that has a subfolder in it and another subfolder in that subfolder and more...

    about 5-8 subfolders each folder has a "long name" :D

    then i placed and execute a .txt file inside the last subfolder which should open a sandboxed notepad.
    but it was not sandboxed.


    if it was a malicious exe I'm doomed :(


    it was my friend who told me this :(
     
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Good Gosh I hope not,I hope its a mistake on your end No offense. Glad you were not playing with malware at the time.If you can duplicate it and it is a hole please report it to Tzuk.I would try to duplicate it but I am to darn lazy and to darn tired.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Actually, I believe I've read at some thread over Sandboxie's forum that Sandboxie doesn't always intercept when a process is executed (or something like that), when forcing a folder to run sandboxed. I believe it was mentioned the best approach is to open a sandboxed Explorer first and only then navigate to the file in question and open it.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Well, nothing in the universe is perfect.

    Have you tested .exe files? .txt files are harmless.
     
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I'll do it tomorrow with the uTorrent installer.

    I'm off to a cosplay event now.
    Bye bye
     
  6. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    Yes. This is because the .exe, in this case Notepad, runs unsandboxed, because it doesn't belong to the forced folder. I can almost bet that you can't run executables the same way, because then they are force-sandboxed.
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    If so, that leaves very little threats left, mostly only for outdated programs opening them.
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    I just tried it on my forced Downloads folder and USB drive and notepad did open sandboxed. I did it with 3 sub folders.

    Bo
     
  9. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    try renaming the folders including subfolders with long names.
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Hi Konata, tried it again and Notepad opens sandboxed. Did it with 7 subfolders placed on my forced downloads folders. Used names like Momotombo and Concepcion which I think are long enough.

    There are a couple of programs that wont open sandboxed even if the file is on a forced folder but as far as I can tell, Notepad is not one of them. JPEGs wont open sandboxed unless you use a sandboxed Windows explorer if Windows Picture and Fax viewer is your default picture viewer.
    WMP wont neither so I have it as a forced program to take care of that situation. 7 Zip is also one of those programs, I also have it as a forced program. As far as I know or can tell all other programs have always opened sandboxed on a forced folder in my computer.

    Bo
     
  11. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    longer... about 30 characters per folder name :D


    you need to create a very long path with the use of long named subfolders and place the file to be executed on the longest path possible :D
     
    Last edited: Oct 1, 2011
  12. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    why not post the path you used? that way the same scenario is replicated
     
  13. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    YES! I confirmed this.

    Even you don't require 7 sub-folders, just rename 1st two folders with any random words up to their max limit and then create a text file inside them and execute it. It will be executed normally and will not be Sandboxed. :ninja:

    EDIT 1:- MS Doc file is also executed without getting sandbox. Although, exe files are executed under sandbox!

    EDIT 2:- You can unzip and zip your files without getting Sandboxed.
     
    Last edited: Oct 1, 2011
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I could reproduce it as well. But, you don't even need two folders. Just one folder suffices. Make sure you name the folder with many characters. I wrote random ones until I could no longer write any more.

    Anyway, this is an expected behavior. I mean, the fact that a file may not open inside the sandbox. Sandboxie does have an option to allow us to force folders, so this expected behavior freaks me a little bit. :D
     
  15. siberianwolf

    siberianwolf Registered Member

    Joined:
    Feb 15, 2009
    Posts:
    516
    this kinda resembles the issue i'm having w/ sbie which i described here in this post below:

    https://www.wilderssecurity.com/showthread.php?t=308569

    in the case i describe above, when those files/folders w/ very long names get created w/in a sandbox, then those files get invisible, and you can't get to see the file's content till you alter the name of those files and shorten them by changing the names of a few folders (when 'show hidden files' option is ticked). and then, only then you get to see the file, for instance the preview of an image if it's an image file. and only then you can erase the sandbox that contains them, for instance. and as you might guess, altering the file/folder names makes the process of secure/safe erasing/wiping meaningless/useless.
    cheers
     
    Last edited: Oct 1, 2011
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    By naming folders(2), using the maximum allowed number of letters, notepad did not open sandboxed on my PC on my forced downloads folder.

    Bo
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    This sort of test is always good for a cursory fuzz testing. Long file names, long path, massively embedded directories...
     
    Last edited: Oct 1, 2011
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Better keep your programs up-to-date, EMET'd, and virtualized.
     
  19. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    thanks AvinashR and m00nbl00d for confirming :D

    a usermode malware when executed can create folder with long name and place an executable inside the folder to avoid forced sandboxing? o_O
     
  20. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    I was wrong with my earlier post, this definitely seems to be a security hole. Not a big one, but still. Has anyone reported it to Tzuk yet?
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  22. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hi Bo
    So for now, users can avoid this condition by not trying to open folders with real long names in the forced download folder, no?
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Hey Page, I would say the answer is yes as notepad opened sandboxed when I used folders with (about) 10 letter names.

    In all honesty, this does not worry me at all as I would never open a folder with a name that's made up of 200 letters.

    Bo
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm afraid you're missing the point. This isn't an issue that has to do only with long names. There are occasions, and be free to search Sandboxie's forum, that Sandboxie will not force files to open in a sandbox (when a folder is being forced).

    Yes, what was mentioned here is a bit different, because it requires long path names, but even without long names (imagine your downloads folder), even if you're forcing a folder's contents to open in a sandbox, you may face yourself in a situation where the file will open outside of that sandbox.

    It's preferable to open a sandboxed Windows Explorer and open the file from there.
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    I don't think you read my reply on post#10. m00nbl00d for situations were the file does not open sandboxed on a forced folder, there are workarounds that work, like I mentioned on post#10. I use the sandboxed Windows Explorer for JPGs but for WMP and 7Zip, I like it and prefer that they opens in their own sandbox.

    On this folder thing, mentioned here, if the program is a forced program, the file will open in its own sandbox even though its placed inside a folder that has a long name.


    Bo
     
Loading...
Thread Status:
Not open for further replies.