Sandboxie Has A Security Hole??

Discussion in 'sandboxing & virtualization' started by arran, Feb 1, 2009.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Has any one esle tried regtest and advanced process termination inside sandboxie??
    http://www.ghostsecurity.com/registrytest/
    http://tds.diamondcs.com.au/advancedseries/apt.php

    well they can both successfully shut down your pc and terminate other programs running outside of sandboxie.

    I allways thought that anything running inside sandboxie can't communicate with anything outside of sandboxie, Obviously that is not the case.

    Some people here will argue that you can use the setting
    "Start Run Access" so nothing else can run except the programs you allow.

    But what if you run mp3 video files or jpg picture files inside sandboxie with a
    malicious code attached. many mp3 and jpf files come with malicious code attached to them. So because you have to give permission to allow run access for your jpg and mp3 files the malicious code executes and does the same thing that regtest and advanced process termination can do.
     
  2. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    That is quite a concern. However, allowing sandbox to run only certain applications will certainly help here. Audio and video files with malicious payload shouldn't be a concern, unless you download from shoddy websites and/or P2P.
     
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    In fact, .jpg and .mp3 doesn't have malicious things inside by default. The only thing may be there are internal structure manipulations that cause buffer overflow errors within certain software.

    But there are .wma and .wmv files that contains an internal link to the "codec" need to play those files. Windows Media Player, by default, will download and run it. Ans- yes, that files may be malicious this case if this "codec" is, in fact, malicious software.
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Well I gave I run it sandboxed with Drop my rights and it was also untrusted by defensewall also prevx edge trial pick up on it and when I deleted contents from the box it was gone even from Defensewalls untrusted list.It looke like DW and Prevx would have handle it just Fine.I have to try it just Sandboxie and shut down other apps.Here is prevx had to say and would have stopped with paid version.I trusted it still got nothing to happen I assume from being untrusted from DW.
     

    Attached Files:

  5. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    So far I'm not seeing anything that's making me shiver in my boots. It'll get fixed if it's deemed that big of an issue, and so far it really isn't. I think this is yet another case where someone found some test somewhere that claimed to do this and that, and decided to test it out on their favorite "indestructible" app. And, when it didn't get a 100% "no chance in hell is this going to happen" pass they were looking for, suddenly there's panic and the app goes from "Try to stop me now!"-good to "This app is useless".

    Please note Arran that I am NOT attacking you for posting this, all I am saying is that this kind of situation is starting to become an all too common occurrance.
     
  7. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    I agree, and I think it is good that the OP posts what he has, Sandboxie along with Returnil are my favorite security software, so I have nothing against Sandboxie, quite the contrary, but when running software such as this, which is exceptionally good at protecting your computer, it's nice to be reminded that common sense still has a place in your security approach, no matter how good a security app is, sooner or later it will be defeated by something, even if only for a short time until patched.
     
  8. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Hi dw426. I know that there is allready a thread on the sandboxie forums, I have allready read it. The reason why I posted it here is because here there is a whole bunch of guys allways testing security Products. And I just wanted
    to see a wider range of opinions.

    I still think sandboxie is a great product and there is no way I am going to stop using it.

    I just want to find out if malicious codes attached to files you run in sandboxie can achieve the same thing as regtest and advanced process termination? But no major problem, Sandboxie is allways getting better, it wasn't long ago we got an update with a rule Restrictions "Start Run access" which was excelent.
    Perhaps later on there will be another new rule added in Restrictions called
    something like "Running apps cannot communicate or do code injection to apps running outside of the sandbox" ??
     
    Last edited: Feb 1, 2009
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Ilya,

    I was not aware that Windows Media Player could download/install something without a prompt.

    Can you provide the titles of those files, and the web sites where they were encountered? If the sites are still active, then just something that gives an idea as to what types of sites they are.

    thanks,

    ----
    rich
     
  10. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    There may well be a way to prevent WMP from downloading without a prompt, but I have frequently seen, when starting a media file that is connecting to the web to retrieve a codec to play the particular file if it does not already have that codec
     
  11. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Don't ask me for the details, but my Windows Media Player (latest version, version 11?) does not download/install anything without a prompt.

    I think it has something to do with configuring the WMP (lots of things can be customized, it's easy to get lost in that menu) and maybe improving all your IE 7 security settings to above average. I have increased the security settings of 'trusted zones' to the settings for the internet.

    Maybe outbound firewall control is also an issue ?

    Btw, I do NOT use Sandboxie.
     
    Last edited: Feb 1, 2009
  12. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    I found this in the "Known Conflicts" section of Sandboxie's website:

    "With Sandboxie 3.28 and later, updates to Rising Anti-Virus may partially disable the protection of Sandboxie."


    Does anyone know what Rising Anti-Virus disables in Sandboxie's protection and how it is able to do so? I didn't find any further information on it at the Sandboxie site.
     
  13. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I believe you disable automatic downloading by un-checking the "download usage rights" box in the Options menu.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Isn't a codec an executable file? In that case, it can't download without permission, if you have good security.

    ----
    rich
     
    Last edited: Feb 1, 2009
  15. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    177
    It must be the following setting. I use the german version of Windows Media Player 11, but I think with the pictures you can easily find the setting in the english version too.*

    *) Edit:
    I found it in the meantime in English too:
    Tools ---> Options ---> Player ---> there you have to uncheck the box "Download codecs automatically"
     

    Attached Files:

    • WM2.jpg
      WM2.jpg
      File size:
      13.9 KB
      Views:
      604
    • WM3.jpg
      WM3.jpg
      File size:
      46.1 KB
      Views:
      626
    Last edited: Feb 2, 2009
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Peter, I find that Option in my WMPlayer also.

    Does anyone have a link to a file -- preferably a small file -- that requires a codec so I can watch it download?

    thanks,

    rich
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    There is a malware ITW that modifies .mp3 into .wma, but I don't remember its name. I just know it's possible and no more. Sorry.
     
  18. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Last edited by a moderator: Feb 2, 2009
  19. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    http://www.kaspersky.com/news?id=207575664
     
  20. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Another "hole" for sandboxie would be if I set to view compressed files as folders in windows, set a specific folder as forced folder and place a zip file there. Doubleclicking on the zip file spawns an unsandboxed window of the zip file's contents and you can run the contents without Sandboxie's supervision.

    Minor annoyance for me and easily resolved by using an archive program to handle zip files instead of windows zip support :D
     
  21. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    If that were the case, then I wouldn't call that a "minor" annoyance. After all, the archive is outside of Sandboxie's control.

    I'd have to try this when I get home; I'd have to experience it myself before I fully believe it.
     
  22. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Please be so kind and tell us your findings... ATM I have very little time to play with my computer...
     
  23. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    I've got a quick question for you. When you said compressed files, did you mean NTFS compressed or an archive (ZIP, RAR, etc)?
     
  24. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    I meant ZIP file and was pertaining to windows' built in zip utility.
    For XP:
    1. Start > Run > regsvr32 %windir%\system32\zipfldr.dll

    2. Set a specific folder as Forced Folder in Sandboxie config.

    3. Zip a file (test.txt for instance), and place the ensuing zip file in the forced folder.

    4. Double click on the zip file. Double click on test.txt.

    Works only if there is no archive program such as 7zip or Izarc set to handle .zip files (edit:or if the archiver is not the default handler for *.zip)
     
    Last edited: Feb 2, 2009
  25. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    After performing the steps bman412 outlined, I can confirm bman412's findings. Other items that I copied into the forced folder ran inside Sandboxie (i.e. text document, executables, etc); the zip file wasn't sandboxed (using Vista's ZIP utility).

    Thanks for the heads up, bman412.
     
Loading...
Thread Status:
Not open for further replies.