Opera and Sandboxie failed

Hi,

My box was recently broken into while I was running Opera in Sandboxie. The attacker was able to rename my 'Documents' folder to 'Public Documents'. I have noticed that while running inside Sandboxie, Opera was of 'UnTrusted' integrity level ( as displayed in SysInternals Process Explorer) . So I wonder how it was able to rename a folder that is 1) outside of the sandbox 2) of medium integrity. So I am now thinking that the attack broke in thru Opera, broke thru Sandboxie, was able to run a process under medium integrity (which Sandboxie is), and has an remote admin module as a payload. What do you think ?

The reason I think it broke thru Sandboxie is because I tried running FireFox under Sandboxie, went to > File > Open, then tried to rename my Documents folder in the File Open dialog box. Sandboxie then prompted me to allow RunDll32, which I ignored. Well, then FF hung and I had to close it using Task Manager. So doing a file rename under Sandboxie was not possible because I only allow FireFox and Opera to run in the sandbox, and not rundll32.

 

It seems more likely that you got confused somehow between the actual 'documents' and 'public documents' folders that already exist on vista+. With all the Junctions and libraries and different ways programs can display these this would be understandable. If an attacker had a piece of malware that was able to bypass sandboxie they'd likely be smart enough to know that simply adding 'public' to a folder name has no impact on if it is *actually* public or not and wouldn't bother.

Sandboxie can do a lot if it's configured to do so. By default however it won't prevent files (including malware) to run, create, rename, or otherwise alter things 'inside the box'. It does however prevent these changes from persisting outside of the sandbox.

That said~ if you are sure it actually happened or are able to reproduce and then verify there is no confusion between the real directories, check if the alteration persists after the sandbox has been closed and sandbox contents deleted. If not then it's doing it's job fine. If somehow such an alteration persists I'd next check the configuration for possible holes, ex: open file path. Then maybe head over to the sandboxie forum and let them know what you think has happened.

 

I don't think I have mistaken the \users\public\documents with \users\<myAccName>\documents. My \users\public\documents folder does not contain anything and I wouldn't have gone there.

A couple of days ago, with Opera open, sandboxed, I tried to modify and upload a file, and found that I have no permissions to modify the file - the ACLs were changed.