Sandboxie technical tests and other technical topics discussion thread

Discussion in 'sandboxing & virtualization' started by MrBrian, Oct 17, 2014.

  1. 142395

    142395 Guest

    I read back and re-found this question. I haven't used direct access for myself. I always use quick recovery, and for firefox I added its profile folder so that I can either delete everything or selectively save each settings (usually addon setting changes).
    About bookmark, I use firefox sync so usually don't care much, tho of course if I delete sandbox before next sync from last bookmark added then I loose that bookmark.
    Anyway quick recovery shows all changed files so I can save bookmark if I added, but usually I don't.
     
  2. 142395

    142395 Guest

    From bo's post about SBIE 4.16.

    So it seems this is what Lumikai found and reported. Also,
    This would have potential security impact. Maybe worth bit of discussion, or test.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I will do some testing with "direct access". Now that I think of it, my FF favorites became corrupted a couple of days ago and I could not restore it inside the sandbox, I'm not sure what caused it. But if I had used "direct access", then I would have had problems on my real system, now it was simply a case of cleaning the sandbox, and restoring the back up file.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    About 1, do you have any idea what this "CreateHardLink API" flaw was about, was it a serious risk?

    About 2, I sometimes saw this, I think you could disable this with some IE setting.
     
  5. Lumikai

    Lumikai Registered Member

    Joined:
    Jan 5, 2015
    Posts:
    8
    Hi Rasheed,

    As 4.16 is now out; the following report should answer your questions:
    Slightly edited for clarity.
    ---------------------------------
    [Snip]

    It's possible for applications running under Sandboxie 4.14 (only version I've tested) to bypass Sandboxies protection and save files outside the sandbox.

    The bypass is possible because sandboxie fails to prevent applications creating hardlinks in windows: https://msdn.microsoft.com/en-gb/library/windows/desktop/aa365006(v=vs.85).aspx

    As an example try the following:

    • Create a file within a sandbox (eg: "C:\Sandbox\user\Box\etc\testfile.txt")
    • Run cmd.exe in the sandbox with administrator privileges and type the following:

    fsutil hardlink create "c:\testfile.txt" "C:\Sandbox\user\Box\etc\testfile.txt"

    As you'll find, during the hardlink creation a copy of the sandboxed file will be created in C:\ outside of sandboxies control. Executable files are just as easily copied.

    It appears this bypass doesn't actually need administrator privileges to succeed, but windows NTFS permissions are still respected so without admin privileges sandboxed apps can only create hardlinks in folders which allow write access for "everyone" or "authenticated users" etc. If you want to try without admin privileges you can use the mklink utility in windows:

    mklink /H Link Target

    As hardlinks can only be created within the same volume, people who save their sandbox on the same partition as their windows or programs installation are at greater risk. It's worth pointing out however that even without being on the same partition it's still possible for a sandboxed file to create a hardlink between 2 locations on a different partition, just not a link from one partition to another.

    Finally you can view the following unlisted youtube video which demonstrates the bypass. The app in this video creates a textfile in the sandbox, requests admin access, then runs the fsutil program to create a copy of the sandboxed textfile in the all users startup folder. After clearing the sandbox and restarting windows you can see the copied file runs on login.

    [Snip]

    ---------------------------------

    Hope that clears things up.
     
  6. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    In this particular test you would have to permit command prompt Start/Run Access in Sandboxie.
    If allowed to run (cmd.exe) then you would be prompted again to permit fsutil.exe
    Start/Run Access in Sandboxie.

    Message: The FSUTIL utility requires you to have admin privileges. Sandboxie setting can be
    checked with "Drop Rights" restriction.

    Result: Although not tested in Sandboxie 4.14 this particular test would most likely fail
    by not allowing these executables to run in the first place and/or restricting sandbox.
     
  7. Lumikai

    Lumikai Registered Member

    Joined:
    Jan 5, 2015
    Posts:
    8
    Fsutil was used as an example because it's preinstalled on most windows systems so is easy to test with. The weakness was with createhardlink API, not fsutil. You don't need to run cmd or fsutil to call the createhardlink API.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the feedback. I'm not sure if I understood it correctly, but from what I've read, I get a feeling that it's something that shouldn't have been missed by the developers. So it's a bit disappointing, but these things can happen. But anyway, nice find and you did a good job.
     
  9. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Just repeating your example test "as written" would fail to create a file outside of the sandbox even when allowing
    admin privileges, cmd & fsutil to run & not whether CreateHardLink was called.

    Please submit a test or link that would CreateHardLink() call that (don't see youtube video) would create a
    file in C:\ outside the sandbox. Thank You.
     
  10. Lumikai

    Lumikai Registered Member

    Joined:
    Jan 5, 2015
    Posts:
    8
    Sorry KeyPer, I've re-read your post a few times but I'm not following you entirely. The issue has been confirmed and fixed by Invincea. If you're trying to replicate it in 4.14 just make sure you're not trying to create hardlinks across physical/logical volumes. I was running win7 x64 with a default sandboxie install.

    Youtube links are against wilderssecurity posting rules unfortunately.
     
  11. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Yes, thanks. CreateHardLink API is now blocked in Sandboxie 4.16. Version 4.14 was used, but I don't leave
    any sandboxes on default settings. Did change some settings during testing though as in this case, but
    left some Read-Only and Blocked Access settings in place while allowing cmd and fsutil to run. Didn't create
    hardlinks across physical volumes and Sandboxie container folder is on same drive. I'll I come up with is an
    error: Incorrect Function in command prompt.
     
  12. 142395

    142395 Guest

    Just as it name shows. If you're not familiar with link, shortly hard link is putting 2 names and path for one particular file. Unlike other link format like symbolic link or junction, they are equal and there's no advantage against another or "which is entity" thing. Also creating hard link don't require admin privilege as Lumikai explained (symolic link requires).

    I guess security impact would be midium to high as it can be abused in many way, putting executable in start up folder is one, but there would be other ways like putting malicious html file on browser cache. Exploitability would be high as it doesn't requires special configuration nor special skills to perform. Adversary can call CreatHardLink from compromised browser for example. But as a user, it's not so much danger unless SBIE become much more popular, as attacker have to know victim using SBIE before launch this attack.

    Anyway, those things occur in any program. Chrome and anti-exploit programs can not be exception.
    I'm not sure what setting you refer to, but probably you shouldn't disable. The reason I said it have security impact is, it means your SBIEd browser can't check server cert revocation (maybe not always, but in certain condition?). So user can not notice fraudulent or malicious sites which uses compromised and revoked cert. Potential great risk IMO.
     
  13. 142395

    142395 Guest

    Well, just make a new sandbox with default setting, and delete it after test finished. There should be no trace.
     
  14. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    That I could, but prefer testing Sandboxie with pre-configured settings instead of default. Want more control
    and why not use what the app is capable of instead of limiting/reducing it's effectiveness. I do the same for
    other privacy/security software as well.
     
  15. 142395

    142395 Guest

    I can relate to it, also never use products in default setting too. But for testing firstly use default setting would be one idea. By doing this you can/may find what setting change can block them etc. and you can share results with others.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    So what are you saying, do you think that with a hardened sandbox this flaw would be mitigated?
     
  17. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    The security issue was fixed in version 4.16. I tested on 4.14 (now on 4.16) with some
    Sandboxie settings changed from default. I always recommend changing the default settings.
    Haven't heard back from Lumikai about my results. Normally in my testing if I allow cmd.exe
    to run (blocked in sandbox) then I'll get some indication the test has failed. In this particular
    test (createhardlink) an error occured and I didn't see no indication of file written out of
    the sandbox onto C:\ so I'm assuming the test failed. Remember though the sandbox as you say
    was "hardened". Default sandbox settings were not tested on version 4.14.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Perhaps you can post your findings on the SBIE forum, would be interesting to know if hardening the sandbox would have really helped in this case.
     
  19. 142395

    142395 Guest

    I tested the vuln Lumikai found in v4.14, and confirmed it can create file in real environment even restricted sandbox setting.
    I.e. drop my rights, start/run for only notepad.exe and cmd.exe (as already mentioned, it's just for convenience and not essential) and just in case forbid all internet connection.

    Just as a note, in Lumikai's #1008 you have to substitute actual path in "Link" and "Target" (maybe needless to say).

    Tho the bug is already fixed, I'm considering to add Read-only for all vital location like startup folder and all other auto start registries.
     
  20. 142395

    142395 Guest

    Other SBIE user in a forum also confirmed SBIE bypass, but they say it doesn't work on 3.76 (and ofc 4.16).
     
  21. icestorm82

    icestorm82 Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    5
    Hi folks,

    I just noticed that opening Chrome with sandboxie doesn't mean that windows dns cache will be sandboxed too. Why this doesn't happen? I'm expecting that all informations related to that browser session, will disappear with sandbox! Can this be considered like a sort of vulnerability?

    Thank you all!
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
  23. icestorm82

    icestorm82 Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    5
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    The link doesn't mention DNS cache explicitly but that is done by Windows itself. This two paragraphs from the link answers your question. The second paragraph sounds like it was written for you.:)

    "Sandboxie puts a great deal of effort into containing the actions taken by the program it supervises, however Sandboxie makes no effect at all to prevent your own Windows operating system from keeping records of what you do in your computer.

    One who makes the incorrect assumption of extreme concern for privacy on the part of Sandboxie might be surprised to find several kinds of traces and logs in Windows that record which programs have been running, even inside the sandbox".

    Bo
     
  25. icestorm82

    icestorm82 Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    5
    Ok! Clear! The real important thing at the end of the story is that, all modifies are made by windows rather then application that runs in SB
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.