Reported Sandboxie breach

Thank You, Franklin.

 

Would DW have blocked this in the situation where you use untrust your SBIE folder, but your browsers run as trusted within SBIE? i.e. anything that breaks out of the sandbox is meant to be captured as untrusted by DW.

 

Hi All

Very interested in this thread.

ssj100 mentioed about giving read only access to C:\Windowsie

" In each sandbox, configure Read-Only access to C:\WINDOWS"

I have two questions:

1) could someone explain exactly how to configure Sandboxie to achieve this please? Is it via Sandboxie Settings/Resource Access/File Access/Read Only Access Then add C:\Windows?

2) SSJ100 suggests this is one of a number of ways to bullet proof Sandboxie. Why is giving read only access to C:\Windows better than leaving it just Sandboxed? Surely no access is better than what is being proposed.

Thanks

Terry

 

Now I know why I have MOST of my windows xp services including print Spooler DISABLED.

 

This is exactly the point I have tried to make MANY MANY times in the passed. What is the difference between using sandboxie to deny programs from Running or using a HIPS to deny programs from Running?? Every time a sandboxie bypass such as this is revealed the same old people in these forums always say just configure sandboxie to deny all other programs from running in the start run settings. So again I ask why not just use a HIPS or a Anti Executable program??

 

Crikey is nothing sacred in the world malware making, not our saviour Sandboxie. For this was our last salvation from ye evil souls!

Seems like a fair few variables needed to get whacked by this.

Anyway. The thing with adding blocking paths to sandbox rules ... is ... that whilst you are actually in the sandbox the real time consequences of malware can be felt on your system. Although you are in Sandboxies "virtual" climate, you are still computing real time - effects can be felt. So to have blocking paths say to C:\ just gives you some extra coverage in real time whilst allowing use of Sandboxies virtual area. But it is a balance; you ideally want to use Sandboxies protection and go about browsing or real time application functionality.

Blocking C:\ registry paths to write "read only" is a good balance between real time protection and application functionaility. Blocking C:\ inside the File Access section goes that one step further and you will loose a significant usability of an application.

 

Well if you want a safe way to see for yourself the results of adding C:\ to a blocked file access path. Add this rule to a chat messenger, which is a safe app to try. You'll notice that no icons show - no avatars, display pics. You lose some of the applications usability - real time usage

 

That sounds interesting. I haven't had time to look at this "exploit", but from what I've read in this thread it seems it's something to do with manipulating the print spooler service to install a rootkit driver, and this requires the service to not be running during the attack.

If you guys want to confirm whether this is a flaw in Sandboxie or a flaw in Windows, there should be a very simple way to do that. Just test this malware/exploit in a limited user account. First make sure the print spooler service is set to manual and is not running. Then run Sandboxie in that limited user account, and then execute the malware sample inside the sandbox. Observe what happens. Then repeat for completeness, but this time execute the malware sample outside Sandboxie. If the malware can still install drivers in either case, then it would seem to me that there's a serious flaw in the print spooler service. If the malware can't install drivers, then the flaw is in Sandboxie. As always, stuff like this should be done on test systems, not on mission critical systems.

 

Based on Tzuk's comments, it looks like the hole has been plugged. http://sandboxie.com/phpbb/viewtopic.php?p=39975#39975

 

Tzuk said this once.
And you have to agree with him, no software is perfect.


Also, this is what Tzuk says about this so called exploit:

 

Any idea when 3.39.09 is going to be available? I have version 3.38 and when I attempted to update today I was advised I had the latest version. As always I appreciate all replies and would thank you in advance.

John

 

I run Sandboxie under a LUA so I guess I would have been safe anyway.

and 3.39.09 is available now

 

Spooler has for some unknown reason, always wanted to connect out. This includes going back to 98SE days too !

Even on a fresh installs of 98SE or XP with just the OS and ZoneAlarm installed, spooler ALWAYS before long attempted to go out.

I never found out why or to where, but found it VERY strange indeed. That's why for years i've blocked it at the firewall. In fact i've even disabled from running at all, as i use a different PC for printing.

It would be more than interesting to discover the real meaning of why it does that.

I have a feeling it's a Microsoft thing !

 

It's looking for network printers and such. That's what it does.

 

Reimer I cannot find version 3.39.09 on the Sandboxie page. Can you please advise as to where it is so that I might download it? Thanks!

John

 

Not only that, it also takes care for printing in general.

 

Sure. It is called the print spooler service after all. But, StevieO wondered why it would want to "connect out". And that's because it's looking for network printers and/or preparing to later receive printing tasks from the network. It's not local printing tasks that cause it to "connect out", as far as I know, anyway. Nothing mysterious or sinister about it, as long as it is the real spoolsv.exe and not some cleverly named malware.

 

Thanks ssj100 for the download information. I was afraid it was a Beta, think I will wait until it is officially released. Just a little afraid of Beta versions.

John

 

I have no problems with it.

 

Malware is allowed to run in GesWall but GesWall will stop the installer jus after a while due to its default policy restrictions. Here is log.

 

I grabbed a dropped file by running malware outside of GW and the tried to run it inside GesWall. Again it was contained well.

 

Some screenshots of driver being installed.

 

Gmer and RootRepeal.

 

It,s totally unsafe ofcourse but sure I did it on purpose with necessary arrangements.

 

Windchild

Thanx for that !

What's puzzling me though is, i'm not on a network nor ever have been. I don't have a Router either, just use a modem + FW. And no printer connected to this PC.

So i can't see why spools tries to connect out ? Sure i could understand it might want to LOCALLY see if something was connected, but to attempt an outbound connection doesn't seem right ?