What kind of attack can bypass Sandboxie?

Discussion in 'other anti-malware software' started by Gobbler, Jun 29, 2012.

Thread Status:
Not open for further replies.
  1. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    The title says it all.
     
    Last edited: Jun 29, 2012
  2. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    I'll take the honors of being the first to respond again, though I'm well aware that I do NOT have the honors of giving the most accurate answer as is proven by my evolving viewpoint as seen in the "what can bypass anti-EXEs" thread.

    That being said, I've always, *always* been a strong advocate for a layered approach. I've also always been a strong advocate of Sandboxie since like early 2010. I considered Software Restriction Policy as the best single layer any intermediate+ user could add since it's built into Windows...again, obviously my viewpoint as evolved.

    The key differece is the concept sandboxing is different fundamentally - yes, it is another white-list based measure, but unlike anti-execution, it doesn't focus on disallowing anything...rather, it *contains* EVERYTHING. On that regard, it provides 100% protection from malicious content itself, be that exploits, trojans, spyware, whatever.

    From the previous thread, I laid this out:


    The only somewhat reliable...or viable
    (I'd go as far as to say only possible)
    ways to circumvent Sandboxie (bypass,
    avoid, whatever) at all are:

    1. Social engineering: Trick somebody
    into recovering something to the hard
    drive.

    2. Anticipating weakened protection:
    Hoping the person you're attacking/
    exploiting has manually deviated from
    defaults for the worse and allowed
    certain behaviors outside sandboxes for
    convenience. Or, hoping a 64 bit user
    didn't enable Experimental Protection
    and having the expertise to make use of
    these trade-offs for an attack advantage.

    3. Finding a bug in Sandboxie that allows
    for breaking out of containment: Doing
    so would be a high cost as far as I can
    tell, take a considerably large amount of
    time and effort, and it can be patched by
    the very proactive development of
    Sandboxie thanks to Mr. Ronen Tzur. In
    reality you have the same likelihood as
    finding a bug in a massively popular AV
    program so go do that where you can
    get more people exploited for your
    efforts.

    I'll add to that list here because I forgot one...

    4. Non-computing events that ruin your set-up such as burglary, warfare, and natural disasters that destroy not only your security set-up but your entire computer, home, and possibly you.

    There's no such thing as true 100% protection, but Sandboxie and related technologies like VMs come seriously as close as you're gonna get.

    I'm sure somebody will respond with a differing opinion that most likely will prove absolutely nothing since there actually being any testable logic, proof-of-concept, and/or malware in-the-wild able to actually verify whatever *they* claim is extremely unlikely. Heck...there's NOTHING to verify what I already claimed (other than tornadoes being scientifically real, and social engineering continually being proven to work,) but I guess we'll see...

    ...I suppose my views can continue to "evolve" as they did in the previous thread!

    *bites nails anxiously awaiting incoming F.U.D.* :)
     
    Last edited: Jun 29, 2012
  3. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    Thanks for your views but again, I will not take opinion of a person seriously who thinks that Sandboxie can protect from an XSS attack.


    I didn't ask can sandboxie protect against all types of attacs but what types of attack can bypass it.
     
  4. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    All cross-scripting does is exploit code between mal-web pages and browser exploits and they can be prevented with a few measures including even NoScript.
    Because the endgoal is not to damage the OS but rather to redirect a user to a malicious page, this attack in my viewpoint falls under social engineering rather than a true bypass/circumvention/[insert favorite term here]. Learn how to identify a fake/mal website or get WOT.
    If you're concerned about a legitamate website being compromised which DOES happen, not really much anything can do about that in terms of if you get fooled and give your personal info to that site then. BUT, of course, if that now mal-site tries to exploit anything on your PC, it will be unsuccessful.

    And I must say I don't appreciate your tone...
     
    Last edited: Jun 29, 2012
  5. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    I apologize if somehow I hurt your sentiments but it is common sense that Sandboxie just cannot stop something like a session cookie from being stolen simply by design, but something like NS can save you if a sensitive (financial/social networking) site has been compromised.
     
  6. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    You didn't hurt my sentiments...your tone just frankly ~ Snipped as per TOS ~ because I believe no good can come from that kind of ettiquete.

    That being said, you are absolutely correct. It's very early, I'm not sleeping well, please forgive me everyone but on my list I forgot:

    #5. Any exploit that deals with information stealing such as a keylogger that gets installed inside the sandbox, any attack capable of harvesting information already loaded inside the sandbox.

    #6. Any attack not centered on the client but rather the server aka the website being visited.

    This is why you clean it out and load a fresh sandbox before putting in browser master passwords (like in FFox) and before doing banking work.

    Again, sorry, been a long day/night I wasn't thinking straight. I promise I'm not an idiot.

    I sincerely hope you can take my opinions more seriously now.
     
    Last edited by a moderator: Jun 29, 2012
  7. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    I didn't say I didn't try to hurt but your tone too was also not very pleasing in your very first post whey you said things like warfare, burglary etc. it also sounded very sarcastic but coming back to the point
    Again whatever the reason maybe but sandboxie failed to protect me against an attack but NS would protect me in such a situation which like SB a locally installed software.
     
  8. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    I apologize if that felt negative or sarcastic which was not at all my intent - I was being serious (or at least attempting to). I do consider (and I think others do too) non-software/hardware related damage and this is why some people have an off-site backup location like a safe or bank.

    As for issues SBIE can't protect, has anyone ever tried this following strategy which definitely unconventional, inconvenient, but definitely intriguing:

    Disclaimer: It really can gurantee nothing since legitamate websites are routinely compromised, but...

    1. Always sandbox browsing.
    2. Have one non-admin account for personalized browsing when you need to log into something
    3. Make another non-admin account with a new, clean browser profile with no logins saved ever for general browsing.
     
  9. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    Natural disasters can apply to safe and banks as well lol but I am glad we made it up between two of us without stretching it too further :)
     
  10. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    That's true :)
     
  11. Amin

    Amin Registered Member

    Joined:
    May 16, 2012
    Posts:
    437
    Location:
    UK
    nice topic.:thumb:

    imagine this , we open MS Word inside the sandbox , write something and then save the .rtf file somewhere and then we open explorer.exe ( ouside SandboxIE ) and copy that .rtf file to another place.

    what's the result.:rolleyes:
     
  12. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    STV's already broadly mentioned most avenues. Some things Sandboxie has nothing to do with e.g. what happens within the Sandbox, particularly within the browser itself. Other things depend on the rules of that sandbox, and what access restrictions have been lifted for convenience. The rest is just the theoretical chance of an exploit.

    A file infector like Ramnit wouldn't be good if there is write access to the hard drive.

    I've wondered if Firefox's bookmarks.html would have been at risk to this, but not looked into it properly.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Without experimental protection it's possible to do by gaining higher rights than sandboxie. With experimental protection you would likely need a bug - there isn't a hole in the idea itself.
     
  14. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    :thumb:
     
  15. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    Google Chrome sandbox is not 100% safe, they always find ways to circumvent the code, Sandboxie is not very popular, so you don't see many direct attacks against it...
     
  16. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Probably a targeted attack against Sandboxie or a bug found in it. There were such bugs in Sandboxie discovered in the past and has been fixed by Tzur. Check the Sandboxie forums..
     
  17. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    Varios UNIX and LINUX dd, cp, chmod, chroot pkg, installpkg commands + some code can wipe Sandboxie and the drive. But I don't think malicious code writers are that motivated w.r.t Sandboxie. And I was just inspired to respond by the very title of the topic alone. Being perpetually lazy and more vivified than a hacker ore bad coder, even a very old Sandboxie would suffice in protecting even a fairly risky user.

    Dave

    PS: DO REMEMBER THAT UNIX/LINIX OS'S ARE NOT THE ONLY OTHER PLATFORMS THAT CAN GO AFTER M$. LCF, ALGOL or even PROLOG. or XLISP are out there invisibly, and can take out ANY M$ OS regarrdless the security setup! Your prob of meeting these threats is infinitesimal.
     
  18. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    Am surprised no one has mentioned keyloggers yet, maybe i missed it. But sandboxie is powerless against advanced keyloggers if i remember correctly.

    Edit- i see it has been mentioned above along with MITM attacks.
     
  19. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    In my experience, the result is quite satisfactory.

    Double-clicking the file in non-sandboxed instance of Windows Explorer results in the tainted file being opened by a sandboxed instance of its associated reader (MSWrite, MSWord, whatever).

    The above behavior is true when any file of any type ( not just *.rtf ) is loaded from a sandboxed path. To subvert this behavior, you could FIRST copy the file to a non-sandboxed path, THEN double-click that copy from a non-sandboxed instance of Windows Explorer. In that case though, protection hasn't "failed" ~~ you've chosen to subvert it.
     
Loading...
Thread Status:
Not open for further replies.