Reported Sandboxie breach

Discussion in 'sandboxing & virtualization' started by Doodler, Aug 20, 2009.

Thread Status:
Not open for further replies.
  1. SammyJack

    SammyJack Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    129
    Thank You, Franklin.
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Would DW have blocked this in the situation where you use untrust your SBIE folder, but your browsers run as trusted within SBIE? i.e. anything that breaks out of the sandbox is meant to be captured as untrusted by DW.
     
  3. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,042
    Hi All

    Very interested in this thread.

    ssj100 mentioed about giving read only access to C:\Windowsie

    " In each sandbox, configure Read-Only access to C:\WINDOWS"

    I have two questions:

    1) could someone explain exactly how to configure Sandboxie to achieve this please? Is it via Sandboxie Settings/Resource Access/File Access/Read Only Access Then add C:\Windows?

    2) SSJ100 suggests this is one of a number of ways to bullet proof Sandboxie. Why is giving read only access to C:\Windows better than leaving it just Sandboxed? Surely no access is better than what is being proposed.

    Thanks

    Terry
     
  4. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Now I know why I have MOST of my windows xp services including print Spooler DISABLED.
     
  5. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156

    This is exactly the point I have tried to make MANY MANY times in the passed. What is the difference between using sandboxie to deny programs from Running or using a HIPS to deny programs from Running?? Every time a sandboxie bypass such as this is revealed the same old people in these forums always say just configure sandboxie to deny all other programs from running in the start run settings. So again I ask why not just use a HIPS or a Anti Executable program??
     
  6. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Crikey is nothing sacred in the world malware making, not our saviour Sandboxie. For this was our last salvation from ye evil souls!

    Seems like a fair few variables needed to get whacked by this.

    Anyway. The thing with adding blocking paths to sandbox rules ... is ... that whilst you are actually in the sandbox the real time consequences of malware can be felt on your system. Although you are in Sandboxies "virtual" climate, you are still computing real time - effects can be felt. So to have blocking paths say to C:\ just gives you some extra coverage in real time whilst allowing use of Sandboxies virtual area. But it is a balance; you ideally want to use Sandboxies protection and go about browsing or real time application functionality.

    Blocking C:\ registry paths to write "read only" is a good balance between real time protection and application functionaility. Blocking C:\ inside the File Access section goes that one step further and you will loose a significant usability of an application.
     
  7. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Well if you want a safe way to see for yourself the results of adding C:\ to a blocked file access path. Add this rule to a chat messenger, which is a safe app to try. You'll notice that no icons show - no avatars, display pics. You lose some of the applications usability - real time usage
     
  8. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    That sounds interesting. I haven't had time to look at this "exploit", but from what I've read in this thread it seems it's something to do with manipulating the print spooler service to install a rootkit driver, and this requires the service to not be running during the attack.

    If you guys want to confirm whether this is a flaw in Sandboxie or a flaw in Windows, there should be a very simple way to do that. Just test this malware/exploit in a limited user account. First make sure the print spooler service is set to manual and is not running. Then run Sandboxie in that limited user account, and then execute the malware sample inside the sandbox. Observe what happens. Then repeat for completeness, but this time execute the malware sample outside Sandboxie. If the malware can still install drivers in either case, then it would seem to me that there's a serious flaw in the print spooler service. If the malware can't install drivers, then the flaw is in Sandboxie. As always, stuff like this should be done on test systems, not on mission critical systems.
     
    Last edited: Aug 21, 2009
  9. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    237
  10. demonon

    demonon Guest

    Tzuk said this once.
    And you have to agree with him, no software is perfect.


    Also, this is what Tzuk says about this so called exploit:

     
  11. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    635
    Location:
    Terre Haute, IN
    Any idea when 3.39.09 is going to be available? I have version 3.38 and when I attempted to update today I was advised I had the latest version. As always I appreciate all replies and would thank you in advance.

    John
     
  12. Reimer

    Reimer Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    217
    I run Sandboxie under a LUA so I guess I would have been safe anyway.

    and 3.39.09 is available now
     
  13. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Spooler has for some unknown reason, always wanted to connect out. This includes going back to 98SE days too !

    Even on a fresh installs of 98SE or XP with just the OS and ZoneAlarm installed, spooler ALWAYS before long attempted to go out.

    I never found out why or to where, but found it VERY strange indeed. That's why for years i've blocked it at the firewall. In fact i've even disabled from running at all, as i use a different PC for printing.

    It would be more than interesting to discover the real meaning of why it does that.

    I have a feeling it's a Microsoft thing !
     
  14. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    It's looking for network printers and such. That's what it does.
     
  15. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    635
    Location:
    Terre Haute, IN
    Reimer I cannot find version 3.39.09 on the Sandboxie page. Can you please advise as to where it is so that I might download it? Thanks!

    John
     
  16. demonon

    demonon Guest

    Not only that, it also takes care for printing in general.
     
  17. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Sure. It is called the print spooler service after all. But, StevieO wondered why it would want to "connect out". And that's because it's looking for network printers and/or preparing to later receive printing tasks from the network. It's not local printing tasks that cause it to "connect out", as far as I know, anyway. :) Nothing mysterious or sinister about it, as long as it is the real spoolsv.exe and not some cleverly named malware.
     
  18. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    635
    Location:
    Terre Haute, IN
    Thanks ssj100 for the download information. I was afraid it was a Beta, think I will wait until it is officially released. Just a little afraid of Beta versions.

    John
     
  19. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    833
    I have no problems with it.:thumb:
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Malware is allowed to run in GesWall but GesWall will stop the installer jus after a while due to its default policy restrictions. Here is log.
     

    Attached Files:

  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I grabbed a dropped file by running malware outside of GW and the tried to run it inside GesWall. Again it was contained well.
     

    Attached Files:

    • b.png
      b.png
      File size:
      89.5 KB
      Views:
      329
    • c.png
      c.png
      File size:
      28.6 KB
      Views:
      328
    • gw log 2.txt
      File size:
      538 bytes
      Views:
      3
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Some screenshots of driver being installed.

    1.png 2.png
    3.png 4.png
    5.png
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Gmer and RootRepeal.

    6.png
    7.png
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    It,s totally unsafe ofcourse but sure I did it on purpose with necessary arrangements.
     
  25. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Windchild

    Thanx for that !

    What's puzzling me though is, i'm not on a network nor ever have been. I don't have a Router either, just use a modem + FW. And no printer connected to this PC.

    So i can't see why spools tries to connect out ? Sure i could understand it might want to LOCALLY see if something was connected, but to attempt an outbound connection doesn't seem right ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.