Sandboxie about to be bypassed?

View previous topic View next topic Go down

Sandboxie about to be bypassed?

Post by ssj100 on 6/7/2010, 18:50

http://www.wilderssecurity.com/showpost.php?p=1707945&postcount=77

Finally some negative energy regarding Sandboxie at that forum! His comments confuse me though. I suspect this part of the post is talking about malware that is aware of Sandboxie and therefore will be hidden when executed sandboxed:

There two ways I know to defeat it without even looking into it much, much much more methods probably exist..

1.LoadLibraryA method of detection to conceal payload
2.Thread interlock method supplemented with detours to overwrite it's injection from the PE. From here you can fool it's driver and write outside it's emulated environment.

These people who code rootkits aren't exactly the idiots sandboxie community takes them for. It's not publicly exploited cause not enough people use it yet. Not because there isn't a way or because anyone lacks the skills. There are noob level VB and delphi malwares using the LoadLibraryA method currently, and has been for a while.

This is nothing new. Even full blown Virtual Machines are being "exploited" in this way. However, they are NOT bypassed and this is an important difference.

Then he goes on to write:

When industrial kit authors take notice they will most likely do a generic method to hijack the driver and overwrite the DLL injections, or disable the user32.dll method it uses.

Presumably, he is now talking about Sandboxie being genuinely bypassed. However, his comment is heavy with possiblities and not hard fact. Also keep in mind that Sandboxie is being continually developed. If a bypass should get out, you can count on tzuk to patch it fast. The same can be said of eg. a kernel mode buffer overflow Windows exploit - you'd hope Microsoft would patch it fast (since there's nothing anyone else can directly do about this haha).

Furthermore, he appears to be talking about hijacking drivers and modifying DLL files. Happily, even if (big IF) this should happen, I would presume that anyone running as a limited user would be protected against this. Also don't forget about Sandboxie's other mechanisms of protection which would also block these attacks easily - "anti-execution" and "Drop Rights".

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by tnegjm on 6/7/2010, 21:57

Over the last year I have been installing/running programs (portable if I can find it) I need in a sandbox, inside a vm, which is sandboxed from my real system. I want to keep my daily o/s as clean as possible and limit newly introduced software on it. I figure if the malware writers add anti sandbox/vm code then it pretty much stops itself Wink. If they try to execute their payload or breakout of containment then hopefully I've put enough roadblocks in place to limit them and still protect my host o/s until the exploits are patched.

tnegjm
Member
Member

Posts : 37
Join date : 2010-04-20

View user profile

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 7/7/2010, 00:36

Yes, I think malware writers would have their work cut out to bypass a sandboxed VM haha.

By the way, he quotes tzuk as saying this:
Thanks for link. Seems IceSword does get to do what it wants.. I will check it out.

Then goes on to say:
He confesses after he and his community members flamed a lot of respected people at sysinternals for pointing it out..

This doesn't make sense to me at all, given tzuk "confessed" nothing and I could find no evidence of flame from the thread(s) he quoted tzuk:
http://www.wilderssecurity.com/showthread.php?t=104981
http://sandboxie.com/phpbb/viewtopic.php?p=719#719

Furthermore, the creator of the thread (and basically everyone who thought Sandboxie was bypassed) admits that he was wrong haha:
http://www.wilderssecurity.com/showpost.php?p=674693&postcount=29

I mistakenly thought I had found a Sandboxie security flaw at first, but this was not the case: Sandboxie DOES block IceSword from running in kernel level...

By the way, check out what Ilya says in that thread:
http://www.wilderssecurity.com/showpost.php?p=599125&postcount=6

As I was already mentioned, Sandboxie has very low protection level. You should use another sandbox protection (DefenseWall, BufferZone).

I don't know exactly how strong Sandboxie was back in 2005, but this is a bit of a cheap shot regardless haha. The fact is that he takes a shot at Sandboxie (and clearly hasn't tested that apparent bypass himself, because if he did, he would have discovered there was no bypass!).

Anyway, seems Buster is on to it. The problem is that anyone can post "it's easy to bypass this" but if they aren't willing to release their POC, they simply cannot prove anything. Also, I've been told by reliable chinese hacker sources that Sandboxie can generally only be bypassed if a flaw is initially found in some specific part of the Windows OS.

By the way, the same guy is now saying this, which clearly doesn't sound consistent with my source (or at least he makes it sound much simpler than it is):
http://www.wilderssecurity.com/showpost.php?p=1708125&postcount=82

The entire system is based entirely around the following binaries, SbieDll.dll alone reveals how the entire engine works. SbieDrv.sys is only for security, but once you have control over the dll you can issue new tokens and your process can write outside. The service only injects the dll as a thread into sandboxed processes and hooks stuff it finds in the IAT.

SbieSvc.exe
SbieDll.dll
SbieDrv.sys

Sandboxie can be bypassed by kernel mode buffer overflow exploits (tzuk clearly implied this, as he said no security software can specifically protect you from this), but no one goes round implying that it's easy to find kernel mode buffer overflow exploits and that we're not seeing them right now because no one cares enough to create such a malware etc. The thing is that if malware writers care enough to make their malware "undetected" when run in Sandboxie, they should also care enough to code their malware to break out of the sandbox. Why aren't we seeing this?

As Buster says:
I think we don´t see it because it´s not possible.

Unfortunately, I would not be surprised to see Buster getting banned for his other comments:

Sorry but I consider you are not going to write anything because you don´t know how to do it. You only know to blah blah blah this and blah blah blah that.

Write a POC that writes out of the sandbox or shut up.

I remember that not many time ago I found someone writing a blog that promised to write the same POC. I added a comment telling him to hurry up and show it. After two weeks the blog was removed.

I guess now you will put excuses to don´t write the POC. Ok, that´s fair but for me you are a ... whatever, that´s an opinion I´ll keep for myself.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by tnegjm on 7/7/2010, 01:52

I'm sure Buster's welcome on this forum though Wink

tnegjm
Member
Member

Posts : 37
Join date : 2010-04-20

View user profile

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by Rico on 7/7/2010, 02:24

My theory is that xorrior is currently a member of a hacker forum project direct against sandboxie and is flaunting his skill or know how about potential ways to hack it. The reason he wont disclose any real info is now apparent in this case. whoever gets his exploit out there first will auction it off at blackmarket exploit high rollers. ssj, the only way to verify if this info is likely is by referring to some of your knowledgeable friends about this. Give him the posted info and ask him if he can create a POC to verify this. It may be the only way to verify if this is true or just some skriptkiddies blowin smoke.

PS the chinese are so darn good at hacking its frikin scary silent

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 7/7/2010, 02:35

Rico wrote:My theory is that xorrior is currently a member of a hacker forum project direct against sandboxie and is flaunting his skill or know how about potential ways to hack it. The reason he wont disclose any real info is now apparent in this case. whoever gets his exploit out there first will auction it off at blackmarket exploit high rollers. ssj, the only way to verify if this info is likely is by referring to some of your knowledgeable friends about this. Give him the posted info and ask him if he can create a POC to verify this. It may be the only way to verify if this is true or just some skriptkiddies blowin smoke.

PS the chinese are so darn good at hacking its frikin scary silent

Who knows mate. And I'll ask around haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by tnegjm on 7/7/2010, 22:05


tnegjm
Member
Member

Posts : 37
Join date : 2010-04-20

View user profile

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 7/7/2010, 23:43

Well that's just sad and embarrassing - xorrior has run off. Furthermore, tzuk has revealed that xorrior didn't even know how Sandboxie works haha. Maybe he's a DefenseWall promoter hired by Ilya to diminish Sandboxie's name. Sorry, couldn't help it haha. But after all the negative energy from Ilya, I wouldn't be surprised:

http://www.sandboxie.com/phpbb/viewtopic.php?t=7538
http://www.wilderssecurity.com/showpost.php?p=599125&postcount=6

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 10/7/2010, 01:43

Yet another talked about bypass (and it's relatively easy to create too haha):
http://www.wilderssecurity.com/showpost.php?p=1704142&postcount=17
http://www.wilderssecurity.com/showpost.php?p=1709792&postcount=39
http://www.sandboxie.com/phpbb/viewtopic.php?t=8398

Even if this was true, my recommendation to combine anti-execution (eg. SRP) as well as containment (Sandboxie configured well on threat-gates) remains relatively bullet-proof!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 11/7/2010, 01:25

tzuk admits that Sandboxie is very likely vulnerable to this:
http://www.sandboxie.com/phpbb/viewtopic.php?p=55014#55014

Proof in the form of code is not necessary in this case. I am sure vlk is right. Sandboxie does not filter network trafic. So vlk is saying that a malicious program could use TCP/IP to connect to port 445 of the local machine and use SMB (Windows file sharing) commands to read or write files.

I will need to do something about this at some point.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by Guest on 11/7/2010, 02:23

There seems to be a "concerted" effort by some group at this time to attack Sandboxie not just by threat of a bypass but a badmouth campaign, registration flood attack, forum attack what is the context of it? Is it that Tzuk has engaged with taking Sandboxie into the Windows 7 64 bit environment and it has nobbled some plans that the malware heads had? Why the attack now and with such venom? You do not often see this sort of "challenge", these guys do not usually "raise their heads above the parapet", something has irked or "rubbed them up the wrong way". I find it very intriguing. But as someone said "empty vessels make the loudest sound". It could be that they know they will be "countered" by tzuk at every twist and turn, that he is very active, smart and "on the case" and they won't easily slip by him and have their way. He tends to respond to important issues within hours and maybe that unnerves them?

Guest
Guest


Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 11/7/2010, 07:27

Yes, it does seem a bit coincidental that all this should be taking place over a very short period of time.

Regardless, I will post soon about what I think can be done to close this bypass without tzuk having to lift a finger - not only would it close this bypass, but it would make your system much safer in general.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by noorismail on 11/7/2010, 07:36

Patrick said: "I find it very intriguing."

I also,and a little scary as well.

It is the lack of answers,and the multitude of questions,that I find scary.

I lack the knowledge to differentiate between an attack perpetrated by a group of kids giggling over a PC and a bottle of Yago,and a serious,hard-core attack.
But I know this.

Sandboxie,here is the common denominator that most of us have.

It is fundamental to many of our security setups,and its consistent presence influences the core of most of our security approach's.

Maybe the clue lies in the multitude of "sandbox's" that proliferate now.

avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 11/7/2010, 07:46

noorismail wrote:Maybe the clue lies in the multitude of "sandbox's" that proliferate now.

Yes, malware writers will be increasingly aware that more and more people use "sandboxing" technology. However, currently, there's only this one "bypass" which sounds like it could be easily blocked by merely running a firewall. I also think that Sandboxie's internet access restrictions would block this "bypass", but I'm not sure (note how I asked tzuk this on his forum).

In a few hours or a day (sorry, I've got other things to do at the moment haha), I will post a guide on what I think needs to be done to block this "bypass" by just tweaking Windows a bit (and therefore avoid the need to use and configure a firewall). However, I'll still have to wait on tzuk's reply to ensure these tweaks will block the "bypass".

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by noorismail on 11/7/2010, 12:04

Thanks ssj.
I for one do not want to ignore this,nor do I want to run a third party Firewall.


Now Windows tweak,no problem!!

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 11/7/2010, 16:56


_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by ssj100 on 17/8/2010, 10:53

Just an update on one of the proposed theoretical bypasses of Sandboxie:
http://www.sandboxie.com/phpbb/viewtopic.php?p=57335#57335

Regardless of anything, tzuk offers a good workaround:
For those still concerned, here's a good workaround. Go to Control Panel > Administrator Tools > Services, and set the SERVER service to stopped/disabled

This is a service I will be disabling (and I'm sure many people have already done it anyway), as I am not connected to a network (nor do I ever intend to be). File transfer has become so much easier these days with mass USB storage devices etc. There is no need at all for file sharing over the home network...not for me anyway. For me, this is just one more service that I never needed (and never got round to disabling).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie about to be bypassed?

Post by Guest on 21/8/2010, 03:46

Windows 2000 users please read
I use Windows 2000 and I disabled Services SERVER on two of my pcs (as tzuk mentions below) but this has had an undesired effect.
When I next plugged my digital camera in to the usb port it was not recognised and was found as just "Usb device"
the same thing with my flash drive I could not access either.
I didn't know what was wrong at first I thought that drivers had corrupted on both pcs but when I turned Services SERVER back to Automatic and restarted the services my camera and flash drive were found again as normal but required a reboot to fully function. I don't know if this will be true for all users or for which other operating systems but I thought I'd just mention it.


ssj100 wrote:
tzuk wrote:* For those still concerned, here's a good workaround. Go to Control Panel > Administrator Tools > Services, and set the SERVER service to stopped/disabled.

Wouldn't another workaround be to disable Ports 137, 138, 139, and 445? I delved into it here:
http://ssj100.fullsubject.com/windows-hardening-f5/how-to-disable-ports-135-137-139-445-windows-xp-t181.htm

tzuk wrote:* I did however add a very simplistic form of port filtering and Sandboxie will discard activity on the file sharing ports 137, 138, 139 and 445. This is far from an "air tight" firewall, but it makes an unlikely scenario just a bit more difficult to exploit.

* These are implemented as a new BlockPort setting. In case someone finds use for this for something other than blocking the ports I mentioned above, the setting is there and can be used. This will be available as part of version 3.49.02.

I'm guessing that if one already had a Sandboxie.ini file which they always use to over-write the original, they would have to add this new BlockPort setting in each sandbox? Also, will this BlockPort setting be enabled by default?

ssj100 wrote:Just an update on one of the proposed theoretical bypasses of Sandboxie:
http://www.sandboxie.com/phpbb/viewtopic.php?p=57335#57335

Regardless of anything, tzuk offers a good workaround:
For those still concerned, here's a good workaround. Go to Control Panel > Administrator Tools > Services, and set the SERVER service to stopped/disabled

This is a service I will be disabling (and I'm sure many people have already done it anyway), as I am not connected to a network (nor do I ever intend to be). File transfer has become so much easier these days with mass USB storage devices etc. There is no need at all for file sharing over the home network...not for me anyway. For me, this is just one more service that I never needed (and never got round to disabling).

Guest
Guest


Back to top Go down

Re: Sandboxie about to be bypassed?

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum