is this a hole in sandboxie?

I forced my D:\ partition to run sandboxed.

I created a folder that has a subfolder in it and another subfolder in that subfolder and more...

about 5-8 subfolders each folder has a "long name"

then i placed and execute a .txt file inside the last subfolder which should open a sandboxed notepad.
but it was not sandboxed.


if it was a malicious exe I'm doomed


it was my friend who told me this

 

Good Gosh I hope not,I hope its a mistake on your end No offense. Glad you were not playing with malware at the time.If you can duplicate it and it is a hole please report it to Tzuk.I would try to duplicate it but I am to darn lazy and to darn tired.

 

Actually, I believe I've read at some thread over Sandboxie's forum that Sandboxie doesn't always intercept when a process is executed (or something like that), when forcing a folder to run sandboxed. I believe it was mentioned the best approach is to open a sandboxed Explorer first and only then navigate to the file in question and open it.

 

Well, nothing in the universe is perfect.

Have you tested .exe files? .txt files are harmless.

 

I'll do it tomorrow with the uTorrent installer.

I'm off to a cosplay event now.
Bye bye

 

Yes. This is because the .exe, in this case Notepad, runs unsandboxed, because it doesn't belong to the forced folder. I can almost bet that you can't run executables the same way, because then they are force-sandboxed.

 

If so, that leaves very little threats left, mostly only for outdated programs opening them.

 

I just tried it on my forced Downloads folder and USB drive and notepad did open sandboxed. I did it with 3 sub folders.

Bo

 

try renaming the folders including subfolders with long names.

 

Hi Konata, tried it again and Notepad opens sandboxed. Did it with 7 subfolders placed on my forced downloads folders. Used names like Momotombo and Concepcion which I think are long enough.

There are a couple of programs that wont open sandboxed even if the file is on a forced folder but as far as I can tell, Notepad is not one of them. JPEGs wont open sandboxed unless you use a sandboxed Windows explorer if Windows Picture and Fax viewer is your default picture viewer.
WMP wont neither so I have it as a forced program to take care of that situation. 7 Zip is also one of those programs, I also have it as a forced program. As far as I know or can tell all other programs have always opened sandboxed on a forced folder in my computer.

Bo

 

longer... about 30 characters per folder name


you need to create a very long path with the use of long named subfolders and place the file to be executed on the longest path possible

 

why not post the path you used? that way the same scenario is replicated

 

YES! I confirmed this.

Even you don't require 7 sub-folders, just rename 1st two folders with any random words up to their max limit and then create a text file inside them and execute it. It will be executed normally and will not be Sandboxed.

EDIT 1:- MS Doc file is also executed without getting sandbox. Although, exe files are executed under sandbox!

EDIT 2:- You can unzip and zip your files without getting Sandboxed.

 

I could reproduce it as well. But, you don't even need two folders. Just one folder suffices. Make sure you name the folder with many characters. I wrote random ones until I could no longer write any more.

Anyway, this is an expected behavior. I mean, the fact that a file may not open inside the sandbox. Sandboxie does have an option to allow us to force folders, so this expected behavior freaks me a little bit.

 

By naming folders(2), using the maximum allowed number of letters, notepad did not open sandboxed on my PC on my forced downloads folder.

Bo

 

This sort of test is always good for a cursory fuzz testing. Long file names, long path, massively embedded directories...

 

Better keep your programs up-to-date, EMET'd, and virtualized.

 

thanks AvinashR and m00nbl00d for confirming

a usermode malware when executed can create folder with long name and place an executable inside the folder to avoid forced sandboxing?

 

I was wrong with my earlier post, this definitely seems to be a security hole. Not a big one, but still. Has anyone reported it to Tzuk yet?

 

http://www.sandboxie.com/phpbb/viewtopic.php?t=11584

 

Hi Bo
So for now, users can avoid this condition by not trying to open folders with real long names in the forced download folder, no?

 

Hey Page, I would say the answer is yes as notepad opened sandboxed when I used folders with (about) 10 letter names.

In all honesty, this does not worry me at all as I would never open a folder with a name that's made up of 200 letters.

Bo

 

I'm afraid you're missing the point. This isn't an issue that has to do only with long names. There are occasions, and be free to search Sandboxie's forum, that Sandboxie will not force files to open in a sandbox (when a folder is being forced).

Yes, what was mentioned here is a bit different, because it requires long path names, but even without long names (imagine your downloads folder), even if you're forcing a folder's contents to open in a sandbox, you may face yourself in a situation where the file will open outside of that sandbox.

It's preferable to open a sandboxed Windows Explorer and open the file from there.

 

I don't think you read my reply on post#10. m00nbl00d for situations were the file does not open sandboxed on a forced folder, there are workarounds that work, like I mentioned on post#10. I use the sandboxed Windows Explorer for JPGs but for WMP and 7Zip, I like it and prefer that they opens in their own sandbox.

On this folder thing, mentioned here, if the program is a forced program, the file will open in its own sandbox even though its placed inside a folder that has a long name.


Bo

 

My reply was for Page42, due to his post.

This isn't entirely correct, because as we both know, sometimes just because a folder is forced, it doesn't mean a file will necessarily open inside the sandbox. Which is why is preferable to open a sandboxed Explorer first, and navigate to the file and open it from there.

Long path file names don't even come into play, I think. The issue is only that there are occasions that Sandboxie won't be able to intercept the program that opens the file, say a *.txt file. But, this is regardless of long path names. It just happens it happens with long path names as well.

I just wanted to clarify that even with a simply downloads folder named "Downloads" or something like that, a file (say, a *.txt file) may not open inside the sandbox.

This has been brought into Sandboxie's forum in the past. The only difference now being long path names.