Read-only permissions Bypassable?

View previous topic View next topic Go down

Read-only permissions Bypassable?

Post by Rico on 2/2/2011, 07:21

I am asking this as a matter of curiosity because we keep hearing of priviledge escalation exploits for LUA etc.
Is there any hypothetical technical possibility that having sandboxed C: as read-only could be bypassed? - this is different than LUA where it is "system-wide" in a sandboxed sense. I searched for file permission circumvention with little anwsers.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Read-only permissions Bypassable?

Post by p2u on 2/2/2011, 08:44

Rico wrote:Is there any hypothetical technical possibility that having sandboxed C: as read-only could be bypassed?
Seems highly unlikely to me, although theoretically this is possible if you have incompatible software installed that hooks in the kernel and interferes with Sandboxie's workings.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Read-only permissions Bypassable?

Post by ssj100 on 2/2/2011, 09:00

This is actually a really good question. I'm unsure whether Sandboxie's application of eg. "read only" and "drop rights" is related to the Windows mechanism, in the sense that a Privilege Escalation Exploit would also bypass Sandboxie's mechanism. Might be a question to ask tzuk directly.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Read-only permissions Bypassable?

Post by ssj100 on 13/2/2011, 07:01

http://ssj100.fullsubject.com/t64-appguard#3172
Rico wrote:I know even if they write to memory they still have to install something to hook into the system right? Or else the virus would be pointless unless it was a standalone exe keylogger.

Could you please see if there is anything left or installed to disk with the running of Steven Didier's & the other BO tests? Even if residing on disk? Thats the last thing I'll ask I promise Very Happy. These tests show Sandboxie's capabilities and allows us to discover their full extent.

Thank you very much

Look at it this way. For example, if you set your browsing sandbox to have C:\ Read Only, then none of these exploits would work. Why? Because nothing new can be written to disk (so there's nothing to test).

I suppose we need an exploit which directly attacks IE (which would already be running in the restricted sandbox) and causes execution via for example a buffer overflow exploit. As far as I can tell, given that the exploit would have to work purely in memory, the only malicious action that can be performed would be data mining (eg. keylogging). I'd be glad to test such an exploit if someone could PM me it!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Read-only permissions Bypassable?

Post by Rico on 13/2/2011, 21:37

An exploit that I can think of is the EOT Font one discovered a few months ago where a malicious webpage triggered a direct exploit and BSOD at the winsys32 kernel driver. You can probably find it at the metasploit testing kit. It works with IE only but make sure you use an unpatched copy of windows in the vm.

As for the wmf exploit, I don't know if sthg like that would work under readonly condition.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Read-only permissions Bypassable?

Post by ssj100 on 14/2/2011, 03:08

Rico wrote:An exploit that I can think of is the EOT Font one discovered a few months ago where a malicious webpage triggered a direct exploit and BSOD at the winsys32 kernel driver.
Unfortunately I'm not familiar enough with metasploit etc. I would need someone else to eg. compile a binary executable in order to test the exploit. Or in this context, I would require a web-site which contained the exploit and eg. spontaneously executed just by visiting it. However, this particular exploit sounds like it would fail in a Limited User Account and/or a sandbox with Drop Rights enabled. While it might be interesting to test what would happen in an Administrator-level Read Only sandbox, the result should be obvious - since nothing can be written, the exploit would have to function entirely in memory. Therefore, as stated before, only data mining could take place (although given it is a direct kernel exploit, it would be interesting to see).
Rico wrote:As for the wmf exploit, I don't know if sthg like that would work under readonly condition.
I think the wmf exploit required data to be written somewhere - it would fail in a Read Only sandbox.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Read-only permissions Bypassable?

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum