Reported Sandboxie breach

Discussion in 'sandboxing & virtualization' started by Doodler, Aug 20, 2009.

Thread Status:
Not open for further replies.
  1. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    There's been a report of a SBIE breach by a well-regarded poster in that forum. Apparently tzuk has confirmed it.

    I did a cursory review of the FAQ's in this (Wilders) forum to find out if it's acceptable to post a link to that thread since, within that thread, are additional links to the malware. I couldn't find a definite answer, but may have overlooked it. I'm posting the link below and will trust a mod to remove it if inappropriate.

    http://sandboxie.com/phpbb/viewtopic.php?t=6123

    One of the posts asks for testing volunteers.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Nice play. Let,s go for it.
     
  3. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    ouch, still, is good that tzuk is a very active developer, getting on with testing.
     
  4. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    wow this is rare news
     
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    not rare, poop happens and I really think we have only seen the tip of it. Another good reason to work with your vendor in fighting this crap. Only by doing so do you have a chance to have a win-win situation. Otherwise, it is going to be a cold ass winter.;)
     
  6. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    is it me or do you change your tune on a daily basis trjam? :p
    sorry to get off topic.
     
  7. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    its pretty rare since u dont hear of TRUE breaches of sandboxie all that often...
     
  8. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    well this is the first i have read about, its a shame that vulnerabilities arent so rare in windows OS's.
     
  9. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    I'm sure the developer will figure this out, he always does.
    Ice
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    true, tzuk does, but some folks should quit wrapping it in a silver liner. It has or can have, issues to.
     
  11. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Well, whatever this one turns out to be from a real Sandboxie vulnerability to possible misconfiguration or OS vulnerability, it shouldn't be too surprising or shocking to anyone. It's very difficult to code perfect software that has no flaws of any kind. And the more popular a software becomes, the more likely it is that those flaws are found either accidentally or on purpose by someone who has some reason to be interested in looking for them.

    Well, one might want to consider the fact that a full operating system like Windows is orders of magnitude more complex than Sandboxie and has boatloads more features. So, it would be genuinely amazing if an operating system would have as few vulnerabilities as a far, far simpler software. There's also that the amount of vulnerabilities that have been discovered and reported in public really doesn't automatically equal the number of vulnerabilities that truly exist in a software - there are most likely many flaws that just haven't gotten public yet. Not a second goes by in the world without someone working on finding vulnerabilities in something as popular as Windows. On the other hand, some far more rare software can exist for days, months and even years without anyone except the author seriously looking for vulnerabilities in them. Most of the people who are searching for vulnerabilities aren't looking for them in something like Sandboxie. They're looking for flaws in popular operating systems, server software, browsers and the like.
     
  12. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Does this malware also bypasse Defensewall and GesWall?
     
  13. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    This is why I will always use a strong firewall.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    SBIE latest beta - bypassed
    GesWall- intact( malware will not run as installer stops).
     
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Nice piece of malware but still unable to run with Sandboxie's start/run access settings in place.

    me.JPG
     
  16. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec

    Thanks Aigle for testing it with Geswall :D

    I suppose we can assume that defensewall will also have no problem stopping it :rolleyes:
     
  17. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    For the exploit to work the Windows XP spooler service must be set at manual and not started at the time of install.

    If spooler service is set at default and has started there is no exploit, or at least that's how I think it works.

    With Geswall or Defensewall are you able to grab any droppers?

    Droppers.JPG
     
  18. wat0114

    wat0114 Guest

    Hi ssj/Franklin,

    which rule(s) will stop this exploit?
     
  19. wat0114

    wat0114 Guest

    Thank you ssj. That's what I thought, so what I want to get at is this: isn't this no different than denying a program from running with a HIPS or similar anti-executable program, as well as UAC or SRP, for example? Even you said earlier in this thread a test is only valid if the executable is allowed to run, as I also advocate this condition when testing ;) I don't know about you and others who use SB, but I have used it to launch suspect executables in it to view their behavior, looking for suspicious activity in the process, all the while expecting SB to fully contain the executable activity. Otherwise, I agree with this step 2 configuration for preventing unexpected file activity.
     
  20. thathagat

    thathagat Guest

    :thumb:
    and most others security apparatus too can be pretty effective if configured correctly....the key word though is "if"
     
  21. wat0114

    wat0114 Guest

    No arguments here, and right about properly configured Sandboxie bullet proof against stopping the unexpected . I'm still using Virtualbox running my Sandboxied browser within it. This VB program is awesome. I love the ability of reverting to a previous snapshot at the drop of a dime :D
     
  22. thathagat

    thathagat Guest

    now thats akin to hunting a lion in a zoo...chained and sedated;) poor caged malware :D it can't run...phone a friend and has its rights dropped
     
    Last edited by a moderator: Aug 21, 2009
  23. wat0114

    wat0114 Guest

    I thought about that but it only works if I run as admin in my host O/S, so a kind of catch 22. I prefer to run as I do because the host is bolstered against possible - although I'd say highly unlikely - leaks, because it is LUA/SRP. I know Franklin will love this last part :D

    Aww heck, who cares. This playing around using different ideas for security is a great learning experience and, I'll admit in my case, a kind of addictive hobby :) I'd be too embarrassed to convey the number of licenses I own for security software I haven't used in ages :oops: but all the same I'm happy to support developers of worthy products.
     
  24. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    Franklin Said:
    "For the exploit to work the Windows XP spooler service must be set at manual and not started at the time of install."

    I not only have my Firefox browser sandbox configured to allow only
    internet access to Firefox,but also to only allow firefox to start in the sandbox.
    As part of my "cut the fat" regime,I have Print Spooler Service disabled as I do not need it.
    So where is "disabled" in terms of thwarting this malware?
     
  25. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    If spooler is set to disabled then there is no exploit.

    If spooler is at default auto and running there is no exploit.

    If spooler is set at manual and running there is no exploit.

    If spooler is set at manual and not running then there seems to be an exploit.

    If spooler is set at manual and not running with start/run restrictions in place then there is no exploit.
     
Loading...
Thread Status:
Not open for further replies.