Sandboxie bypassed

Discussion in 'sandboxing & virtualization' started by trismegistos, Feb 5, 2011.

Thread Status:
Not open for further replies.
  1. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Potential bypass (add user account)

    "This PoC seems to be able to add an user account despite it being run in sandboxie. Closing the application and deleting the SB contents doesn't delete the account."

    -http://ssj100.fullsubject.com/t370-sandboxie-bypassed
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Last edited: Feb 5, 2011
  3. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Also doesnt work if UAC is enabled or drop my rights within SandboxIE are enabled. Running with dropped rights in SandboxIE is a pretty fundamental concept.
     
  4. wat0114

    wat0114 Guest

    Also does not work in a limited user account. Another fundamental concept that many don't want to accept.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Unfortunately.

    Anyway, this is nothing that concerns me. I'm more concerned with what is undisclosed, but that would be for another topic. :D
     
  6. wat0114

    wat0114 Guest

    True, no need to be at all, but this might trigger some Sandboxie doomsday propaganda fud.
     
  7. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    What if you have limited rights enabled, only what you want having internet/running privileges? Can it get past that?
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, but I do understand their concern. It seems it is needed have administrator rights for such thing to happen, but we are, primarily, speaking of an application supposed to keep whatever changes happen to the system within the sandbox. After we're done, dispose it. This should happen regardless of what account we're using.

    The same situation seems to have been reported before, regarding some application. -http://sandboxie.com/phpbb/viewtopic.php?t=9456

    It went unnoticed, though.

    The reason I mention I'm not concerned, is that the use of sandboxes, be it automated ones or having to be set by the user, are not a complete reality, yet. But, a new scenario is emerging. I don't follow every security application, but from what I see others mention, COMODO has a sandbox, AVAST is on its way of introducing one in avast! 6 as well. This will eventually become a new mechanism for attackers to bypass and search for flaws.

    I've always been from the opinion that Sandboxie does have its flaws; it's a piece of software, and they all have flaws. The only reassurance is that sandboxes, and in this case Sandboxie, is not widely used.

    But, have no doubts that once sandboxes use becomes a daily reality in most users lives, we'll see more bypasses emerging.

    And, originally the author of this PoC was not even aiming at Sandboxie, but COMODO.

    So, while I agree that "this might trigger some Sandboxie doomsday propaganda fud", as you put it, would you think the same if sandboxes were a reality to most people? Or, would you be concerned? ;)
     
  9. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Win 7 full blown admin - no UAC and Sandboxie does what I tell it to do. ;)

    Exploit.JPG
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello Franklin ;)

    Fair enough. :) But, what I had in mind when I wrote my previous post was a situation where a user would deliberately run a file inside a sandbox, without any restrictions, for whatever reason made the person run it that way, but always having in mind any modification would be disposed when deleting the sandbox.

    Should you face yourself in such situation (just a hypothetical situation), wouldn't you end up with something outside the sandbox, when it was supposed to be deleted when disposing it? If you think about it, Sandboxie (the application I care about; but, the same seems to, at least, apply to COMODO's sandbox) fails to do that job - dispose any changes when the user deletes the sandbox.

    Anyway, this is not a real concern, IMO. Sandboxes are not massively used, so... But, when they come to be, I believe one should look differently at what a sandboxing application is and what is not. What is not, that's easy: infallible.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    But then again there are the people that need to wake up and realize that Sandboxie isn't perfect. In specific, the people that seem to find giggles out of downloading malware and executing it in a live enviroment only protected by Sandboxie.

    If this was all you needed to stay protected, you'd think all AV companies would have a copy of Sandboxie for malware analysis.
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I agree with that, although I think those purposefully initiating malware in a sandbox probably don't fall into a "typical" category.

    But as you suggest, sandboxing isn't perfect. To rely 100% on it can be done, if you have a well laid out plan. To simply install it, and use it "as is" and assume you are problem free is also possible, but could easily lead to many issues.

    I personally think that a tool like Sandboxie, when it is understood and configured properly for job at hand, is as close to "secure" as on can get from one product, but only if it is used in a manner that supports the underlying philosophy. Of all the products I have used, except for uber HIPS where any/everything is questioned, Sandboxie can be for me the one 3rd party tool that truly does offer more than any other - but again, only because I have implemented it in a very specific way.

    Sul.
     
  13. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Sandboxie isn't perfect. Windows isn't perfect. Too much things aren't indeed.

    It's very good... People like to have dislikes...

    For who that likes the good things, there are very good things always. E.g.: Windows and SandboxIE...
     
  14. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Yes, and I did run the sample in a default box where the Comodo user account was created but it was gone on reboot thanks to my second layer full system virtualisation.

    So what have we really got here, a third obscure bypass of Sandboxie in several years and yet again some want to make an Everest outta it.

    Seems the witch hunters won't be happy till the m00n turns red with bl00d! LOL
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It may be obscure to you, but what about others who aren't even aware of other "second layer full system virtualisation"?

    So, it was one other security layer that you have implemented saving the day? I guess we can thank for the existence of such tools? ;)

    I guess it depends on whom is climbing the Everest. I remember a guy who did, and ended up having to cut his fingers. Burnt by the extreme cold. ;)

    Nice one! :D
     
  16. wat0114

    wat0114 Guest

    Nicely put. Frankilin has proven over and over again, sadly to little avail, that Sandboxie ultimately performs gracefully when put through the ringer, especially more so if people simply realize a little effort and common sense on their part to supplement its effectiveness (this applies to any security setup) should be enough to completely avoid any malware infestation. Hopefully no one's expecting it to hold their hand throughout the process. Think about it for a moment, why on earth would you open some obscure macro or executable in the real system without first verifying its source, and at least in the event of an oversight all you need is a backup/restore procedure in place or rollback that Franklin uses and you've got practically nothing to worry about.

    Whoa, clever :D
     
  17. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    A fix for this issue will be soon released by tzuk...

    http://www.sandboxie.com/phpbb/viewtopic.php?p=63871#63871
     
  18. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
  19. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    thanks nanana1
     
  20. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    While this advice might work for the general user out there browsing the web. Some can't accept it. For example i'm a developer and i run to many things that require admin privledges (IIS for example). Running under a user account is impossible for me but uac basically does the trick just as long as you analyze why uac is coming up rather than blindly clicking yes.
     
Loading...
Thread Status:
Not open for further replies.