Possible Sandboxie breach

Discussion in 'sandboxing & virtualization' started by Doodler, Mar 14, 2013.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So, you want the PoC as an exe... Tzuk already has it. Maybe you, as a paid user (o_O) could kindly ask for it, so that you can be sure all he said is accurate, but then again, how can you be sure that the "PoC as an exe" wasn't recoded not to reflect the actual events? No way to be sure, unless one compiles the source code. I'd do it, if I could. Until then, we have to wait for a closure on this.

    I'm the kind of person that never takes sides. I'm a paid user, who unfortunately cannot verify this on his own (I cannot recompile the code and run it a spare machine)... I paid for a product. Someone provided the code that he states bypasses Sandboxie (version 4 as well, because version 3 is bypassed).

    Should I blindly take the word of Sandboxie's author? He's trying to sell his fish. He ended up admitting that version 3 is vulnerable, but this version is about to see the end of the light, so as user I could also see this whole story as a way for he to try to sell his new fish (by claiming it won't work on version 4).

    If no one's willing to recompile the code and test it, maybe (who claims there's no bypass) there could be a way to have a live session on Tzuk's side showing him recompiling, etc., and then test it? (What better alternative? o_O)
     
  2. chris1341

    chris1341 Guest

    The vast majority of us don't have the skills to compile the POC. Neither do we have the ability to test every aspect of the software we use. There has to be some trust involved.

    Trust is something that is earned. It rarely applies to people you don't know who have not proven reliability to you.

    If I didn't trust a supplier, especially a sole-trader like Tzuk, I would not use their products. You may try them because they have built up a reputation for reliability and if they work for you, you develop trust over time.

    Tzuk has earned my trust over the years because of his honesty and willingness to address issues with his product. I believe him when he says this does not effect version 4. Why? Because he's proved over the years he can be trusted.

    The risks to his reputation and the trust his customers put in him is too great to risk with something as silly as this.

    You also have to ask what happens is he has to prove to the nth degree every single claim someone makes against his product. No development and a hacked off developer unwilling to continue I would guess.
     
    Last edited by a moderator: Mar 20, 2013
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Tzuk or no developer should ever take the risk of providing anything that is malware, either POC or live. Since the person making the allegation suggested we test it for our selves, it is up to him/her to provide it, not the developer he to whom he gave it.

    Tzuk said there was no problem with 4 so that's the end for me.
     
  4. Chuko

    Chuko Registered Member

    Joined:
    Sep 8, 2011
    Posts:
    25
    Hi Sully, Hungry Man was referring to me. I should also have quoted him the way you did at post 37.
     
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    If its not on my system or breaking out of sandbox on my system then The POC dont exist.IMO its like the invisible man.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,538
    Location:
    Outer space
  7. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,538
    Location:
    Outer space
  10. stvs

    stvs Registered Member

    Joined:
    Mar 17, 2013
    Posts:
    34
    Location:
    greece
    hello. this exploit about true type font vulnerability itis not a new trick as it can bypass any security program via kernel mode
    the dugu malware exploits the weak T2embed.dll
    i dont know if the last sandboxie can stop this exlploit but there is a temporary workround here , open sandboxie ,Resource Access > File Access > Blocked Access and add c:\windows\system32\t2embed.dll
    the sandboxie will block the true type font engine t2embed.dll

    also posted here in the past:https://www.wilderssecurity.com/showthread.php?t=310195&page=4&highlight=sandboxie true type
     
    Last edited: Mar 20, 2013
  11. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,538
    Location:
    Outer space
    @stvs
    good tip :)

    Yes, but later there was another one as well(which was also fixed) so there may be more in the future. With stvs's tip Sandboxie users can block access to t2embed.dll to prevent kernel exploits if they use vulnerabilities in fonts, but keep in mind that it won't protect against other kernel exploits. Not sure if there is any solution that can, though you could use software like Emet and ZVL Exploitshield to reduce chances of successfull exploiting.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    ExploitShield will do literally nothing to prevent kernel exploits. Same with EMET.
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,538
    Location:
    Outer space
    okay, good to know :D
     
  15. Chuko

    Chuko Registered Member

    Joined:
    Sep 8, 2011
    Posts:
    25
    Thanks Hungry Man for the info. My apologies for sounding rude earlier. Glad that you are still willing to input and update.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Don't worry about it.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    What about AppGuard?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.