is this a hole in sandboxie?

Discussion in 'sandboxing & virtualization' started by Konata Izumi, Sep 30, 2011.

Thread Status:
Not open for further replies.
  1. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    m00nbl00d, this is not true. Being specific, if the downloads folder is forced and named "Downloads", a text file will certainly open sandboxed.
    WMP, 7Zip wont but if these programs are forced, its files will open sandboxed in its own sandbox.

    Bo
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I mentioned *.txt as a pure example. I truly don't remember if *.txt would be affected.

    Read this.

    Also, please read what Tzuk and others mentioned here.

    And, obviously if I'm forcing folder A to run sandboxed, and if the file is a text file, what the heck does WMP or 7zip have got to do with anything? I'm not understanding what you're trying to achieve with this.

    The thing is, the file may not always open sandboxed. I still haven't come across such situations, but reading those threads it clearly shows others have, and it's a limitation of the "Forced Folders" feature, as Tzuk mentioned. Now, if you're saying they're not telling the truth... that's something totally different. :D
     
    Last edited: Oct 2, 2011
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    Exactly, you dont know but you are saying Txt is affected when is not. I mentioned WMP and 7Zip because THEY are affected. Other than Windows Picture and Fax viewer, WMP and 7Zip, nothing else is affected that I know.

    Another thing that you don't know, as you are a SBIE part time user, is that files of those programs that are affected will still open sandboxed in its own sandbox if they are forced programs. JPGs is an exception, that's why I use a sandboxed Windows Explorer to open them.

    Don't exaggerate, that's all.

    Bo
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    First, I never mentioned that *.txt were affected. Have I ever said they were?

    Second, I mentioned *.txt, because Tzuk mentioned it in one of his replies in the thread I pointed you to over Sandboxie's forum.

    I'm more than aware that by forcing an application to run in sandbox, they will run inside the sandbox. No need to lecture me. :)

    Exaggerate? Are you for real? I mentioned *.txt because I saw it mentioned by Tzuk, and I'm exaggerating? :eek:

    Or, am I exaggerating for suggesting Page42 to always open Explorer sandboxed first (actually have a shortcut for that)?

    Seriously, your definition of exaggeration is a bit "concerning", considering what I explained above.

    Why it is then when something is said about Sandboxie, Sandboxie purist* users always feel like they got the need to fight back a non-existing fight?

    *Users that use Sandboxie at all times, unlike those who used them for some specific stuff, like me. No intentions to be rude with the word purist.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Really? User ssj100 talked about something different, in the threads I mentioned.

    And, no one in there contradicted him.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    If you read what you said on a previous post by you, it sounds pretty clear that you are saying Text files are affected when they are not.
    I think its a great idea to have a sandboxed Windows Explorer shortcut but I prefer, if possible, to have my programs open in its own sandbox or in a forced folder and that's how I do it.

    "I recall now that with media and picture files, if Windows Media Player and Windows Picture and Fax Viewer are your default programs for running these file types respectively, running these files from a force sandboxed folder/drive will not work - they will always open unsandboxed"

    Thats in the past m00nbl00d. One more time, you don't know what you are talking about as that situation for WMP it does not happen anymore. In my computer WMP files will open sandboxed in its own sandbox when the files are placed on a forced folder. They will not open in the forced folder but do open sandboxed in its own sandbox.

    With all due respect to SSj, he should get that fix.

    Bo
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    m00nbl00d, let me add, for JPGs, we can use the sandboxed Windows Explorer or right click on them as they wont open sandboxed otherwise. Thats what I use the sandboxed Explorer for but WMP will open sandboxed when it is a forced program, no matter what.

    Bo
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Because you got WMP forced to open in its own sandbox, correct?

    I just gave it a quick test... because I do like to have evidence on which I can base what I say... and I set WMP as my default player (I usually have VLC), and I forced a folder with media files in it to open in a sandbox.

    Guess what? WMP opened outside the sandbox. Why? Because WMP was not forced to run!

    Don't come with such superiority crap on me, please. The fact is, as user ssj100 mentions, if these files are on a forced folder, they will still open outside the sandbox! And, once again, I'll say that they open outside of the sandbox, because, regardless of the folder being forced... WMP is not.

    Forcing an application won't take away the fact that forcing a folder doesn't always work! And, that's all what I am saying. For some reason, you're failling to understand that.

    We're talking about two distinct features: Forced Folders and Forced Programs.

    I know my facts... You seem not to know yours. Quite an irony for such a full time Sandboxie user...
     
    Last edited: Oct 2, 2011
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    By forcing the program, you overcome the limitation. There is nothing wrong with doing that. You fail to see the point of doing so.

    Bo
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    No, you are talking about the features while I am talking about how to make Sandboxie succeed, despite its limitations. Big difference.

    Bo
     
  11. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557

    we're trying to help fix the problem with forced folders here which we think is giving us false sense of security, while you shoving your workarounds (with the help of sandboxed explorer and forced program) which we already know how to do.


    sandboxie's forced folder has limitations but those limitations might/can still be improved/fixed and I don't think your arguments help.
     
    Last edited: Oct 3, 2011
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You're only revealing that you fail to understand the core issue here.

    As an example, I'll mention a recent event with Sandboxie. Some person over Sandboxie's forum came with a PoC that would create a user account in the real system. Before that, another user had already mentioned that a legit application, that he/she installed in a sandbox, managed to do exactly the same thing.

    Now, one of Sandboxie claims/features is that it allows us to install software in a sandbox and then ditch it, if we want so.

    I got this from www.sandboxie.com

    Now, YOU could argue that any user could enable the setting Drop Rights, but that would kill the purpose of being able to install software in Sandboxie, wouldn't it?

    So, what was the solution to the problem that was brough to Tzuk's attention? The solution was to fix the damn problem. Why? Because enabling Drop Rights was not the solution, because users could no longer install software in a sandbox.

    Now, let's bring in Forced Folders. It is an independent feature from Forced Programs. One does not depend on the other, so they're independent.

    Forcing a program won't take away the fact that there's an issue with the Forced Folders feature.

    You're seeing this as YOU and only YOU and your workarounds... This isn't about you or me. This is about anyone using Sandboxie or that will use Sandboxie.

    Sandboxie has a feature called Forced Folders. I may want to force a folder where I got media files I download from the Internet or that friends give me, and force that folder to its own sandbox, and since Sandboxie does have this feature, I'd expect and I'd wish that Sandboxie does force the media files to open in the sandbox.
    But, I may not want the media player itself to be sandboxed, at all. I'd only like to have it sandboxed to this or that folder.

    And, that's a feature that Sandboxie happens to have. The problem is it's not working as it should, and if Tzuk could do something about it, it would be great. And that would be the solution.

    Workarounds are never the solutions, but only temporary fixes until the solution fixes the core problem.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Precisely...Big difference. I'm talking about apples and you're talking about oranges, and then you say that I'm wrong and exaggerating... when you're the one who's been wrong and exaggerating since the beginning.
     
  14. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    Sandboxie 3.59.05 beta released.
    can't find changelog :D
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Can we ever?
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,162
    Location:
    Nicaragua
    @moonblood
    When I said that you are exaggerating, I said it because you make it sound like any program at any time can fail to open in a forced folder and that moonblood it is an outrageous exaggeration. Yesterday, you did not even know whether Notepad is one of the programs that fail to open in a forced folder. moonblood, most of what I can tell you about SBIE, comes not from reading about it, but comes from my personal experience using this program and only three programs have EVER failed to open sandboxed in a forced folder in my PC. The workarounds are easy, work just fine and have been mentioned over and over on this thread so I wont mention them again.

    This (Old)issue that affects WMP and Windows Fax and Picture Viewer, causing those programs not to open sandboxed in the forced folder, also affects other sandboxing programs. This is not a SBIE issue but a sandboxing issue.

    Nothing in life is perfect, you should keep that in mind.

    This is my last reply.

    Bo
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    About this part of your reply, I have this to say - You totally lost your reason, and start to mention things I never mentioned. Never once I mentioned Notepad. I mentioned *.txt because I saw it mentioned by Tzuk (Sandboxie's author) as well. He mentioned such file type as well, so who am I to say that they weren't affected or can't be affected at some point, depending on what program the user uses to open *.txt files?

    Again, I never once mentioned Notepad. You are simply assuming that anyone opening *.txt files is using Notepad... but whatever...

    I never said this was strictly related to WMP, Windows Picture Viewer and Windows Fax. I mentioned those as the examples that were given in Sandboxie's forum.

    You're totally right on that. The big difference is, if it's possible to make Sandboxie handle Forced Folders feature more efficiently, then why wouldn't I want it to be improved?

    It honestly sounds like you got something against Sandboxie that makes you not want each feature to work flawlessly. Kind of an irony for a Sandboxie paid user, but OK... Guess what? If possible, I'd like for each Sandboxie feature to work flawlessly. Sue me for that... :D

    Anyway, this is also my last reply to you, considering you're still having a hard time figuring out what's the core issue here.

    If you truly believe that what you're saying really helps Sandboxie become more efficient...

    Anyway, I'll say it again - Forcing a process name to run sandboxed won't solve the issue with Forced Folders, and that's something you're having a hard time to understand.

    Yup... you're clearly failing to understand what the issue is... You keep talking about Forced Programs, while we're talking about Forced Folders, but it's useless to say anything to you, because you're still failing to understand this is not about you forcing an application... :D

    See ya...
     
  18. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    May the force be with you all~

    so... any progress on the issue? :)
     
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    When using the forced folders, a user should be able to count on any file within that directory to become sandboxed upon execution. Period. That is what a "forced folder" is supposed to do.

    The issue of WMP is a documented one. I wish it were seamless, but it is not. One must account for that. Full disclosure of all these "issues" would be nice, so one can take the steps needed to handle them. These are "annoyances" IMO, although I would like to see them fixed for good.

    The issue of a certain subdirectory level or a certain character length directory causing an escape of the sandbox is, IMHO, a very serious issue. It "seems" to me like a code oversight, as if there were a statically assigned value there, or an older function/method/property that was used in the code. Don't know, doesn't matter. All that does matter is we know it exists, and hopefully Tzuk will be able to correct the situation.

    I would like to know if it is possible for a sandboxed process to exploit this or not. My thoughts are it is not possible. If a browser is sandboxed, and it creates this long named directory, then executes a file within it, the new process should be forced into the same sandbox as the browser, as it should inherit this. I think the issue arises only when the user executes the file from the real OS.

    It falls back to the user at this point to be aware of such a flaw until it is fixed. Being creative and making sandboxes or sandbox rules is really beside the point, as that is only covering the problem up with a temporary bandage. The author needs to correct the situation permanently for SBIE to retain its level of protection.

    While I would not click willy-nilly in my forced folders, some might. I see this as a pretty critical flaw in SBIE, especially once malware authors find out about it. While the threat is not that great since it requires one to manually start the process, it is still a threat that is unchecked by default.

    Sul.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    :thumb:
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Not worried. Still the best security program I've found.
     
  22. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    No doubt about it.
    Tzuk has always been responsive! :thumb:
     
  23. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,582
    :thumb: :thumb: :)
     
  24. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    I guess a PDF exploit can do the trick. Although I haven't tested it against a real pdf exploit, but I found that if you randomly rename a folder to max and force it to run under sandbox and execute a PDF file inside it, then you will find that your pdf file will be executed outside sandbox, same with a docx file. So imagine if docx file have some kind of Macro-Virus then it may run outside a sandbox..
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    This is from Sandboxie's forum:

     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.