Sandboxie bypassed

View previous topic View next topic Go down

Sandboxie bypassed

Post by ssj100 on 3/2/2011, 11:47

I was waiting for tzuk to confirm this bypass before posting here, but he seems to be taking a while to test it:
http://www.sandboxie.com/phpbb/viewtopic.php?t=9812

As far as I know, these are the specific settings to bypass Sandboxie 3.52:
1. Windows 7 (probably works on Windows Vista too). Windows XP seems to be immune.
2. Administrator account. Doesn't work in a Standard User Account (Limited User Account).
3. Sandboxie Drop Rights disabled. Doesn't work if Drop Rights is enabled.

I personally tested on 32-bit, although I'm quite sure the bypass will work on 64-bit too. Can someone test this? Thanks.

As I mentioned in the Sandboxie forum thread, I suspect this bypass has something to do with the UAC mechanism introduced in Windows Vista/7.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie bypassed

Post by Stephen2 on 3/2/2011, 12:53

Confirmed as working:

Tested on Win7 Ultimate x64, Sandboxie 3.52 full.
Administrator account with UAC disabled.

As you mentioned, Drop Rights had to be disabled or it would crash SandboxIE Start.exe

Just as well you and I run as SUA, with Drop Rights enabled Wink There's always different ways to kill potential vulns dead.



Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: Sandboxie bypassed

Post by ssj100 on 3/2/2011, 13:14

Stephen2 wrote:As you mentioned, Drop Rights had to be disabled or it would crash SandboxIE Start.exe
Actually, when I tested with 32-bit and Drop Rights enabled, the POC simply wouldn't work - just the same as it wouldn't work in a Standard User Account - an error message pops up saying that it doesn't have enough rights to perform the action. Are you saying that on 64-bit, it crashes instead?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie bypassed

Post by Stephen2 on 3/2/2011, 13:27

Correct, on my setup.

Isn't a clean install VM or anything, so may be some other tweak or something interfering?

Only other security software is Comodo Personal Firewall (Defense+ disabled)

hmm... also: Saying "it" crashes is incorrect, SandboxIE's start.exe program crashes and launcher werfault.exe

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: Sandboxie bypassed

Post by p2u on 4/2/2011, 10:41

ssj100 wrote:I was waiting for tzuk to confirm this bypass before posting here, but he seems to be taking a while to test it [...]
Serious problems take lots of testing. I think he's trying to find a solution before reacting in public.

ssj100 wrote:[...]Doesn't work in a Standard User Account (Limited User Account). [...]
[...]Doesn't work if Drop Rights is enabled. [...]
Well, the author didn't write this specifically against UAC. It was intended as an exploit against Comodo, right? Adopting it for other purposes can't be that hard. And even if UAC can't be bypassed silently; what if this is integrated into an installer you want to test?
P.S.: Praise yourself lucky you're on XP. Although they seem safer, Vista and Windows7 have some really serious architectual holes in them that are covered up through obscure "security" mechanisms that are not really security boundaries. I'm seriously thinking now what my next flavor for an OS will be, but the odds are against Windows.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Sandboxie bypassed

Post by ssj100 on 4/2/2011, 10:49

Yes, all those comments have been made in that Sandboxie thread mate.

Regardless, I've so far concluded that this is more of a "bug" with Sandboxie on Windows 7:
http://www.sandboxie.com/phpbb/viewtopic.php?p=63717#63717
I'm still scratching my head over why this POC doesn't work on Windows XP when run sandboxed in a full blown Administrator account with Drop Rights disabled. When run outside the sandbox, the POC succeeds, so it's not that the POC isn't functional on Windows XP. Could this be more of a "compatibility" issue between Sandboxie and Windows 7 itself?

p2u wrote:P.S.: Praise yourself lucky you're on XP. Although they seem safer, Vista and Windows7 have some really serious architectual holes in them that are covered up through obscure "security" mechanisms that are not really security boundaries. I'm seriously thinking now what my next flavor for an OS will be, but the odds are against Windows.
We'll see how it goes I suppose. I'm personally waiting for Windows 8 or Windows 9 before leaving XP. And happily, so is my workplace.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie bypassed

Post by p2u on 4/2/2011, 10:55

ssj100 wrote:Regardless, I've so far concluded that this is more of a "bug" with Sandboxie on Windows 7
My first thought is that the SAM API in Vista/Win7 "stinks". I've had this feeling more than once.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Sandboxie bypassed

Post by ssj100 on 4/2/2011, 11:15

Could you explain more about the SAM API?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie bypassed

Post by p2u on 4/2/2011, 14:51

ssj100 wrote:Could you explain more about the SAM API?
What is the Security Accounts Manager
Windows API

Theoretically (I haven't looked at the PoC): From the description of the PoC I understand that it just makes some very simple system calls, nothing more. The interesting thing is that Sandboxie is reported to crash during this experiment. Since we are talking about account creation, this would suggest that Sandboxie hooks into some of the SAM API functions, which causes an evil exception when those functions are called. As to why this happens on Vista/Win7, but not on XP: one of the possible reasons that come to mind is that as an admin on Vista and Windows 7, you can make queries and get security-related process info (the system itself allows it to happen) that is off-limits on XP (the system itself will block it from happening). That would be a good explanation of why you are "protected" on XP, but not on Vista and up. But instead of listening to my pseudo-technical babble, it would be best to ask the author of the PoC himself through PM. I see that he posts on the Sandboxie forum as well...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Sandboxie bypassed

Post by ssj100 on 5/2/2011, 01:45

p2u wrote:But instead of listening to my pseudo-technical babble, it would be best to ask the author of the PoC himself through PM.
I asked him several days ago - he had no idea.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie bypassed

Post by ssj100 on 7/2/2011, 12:34

Update: Tested this POC with BufferZone Pro 3.41-14 on Windows 7 and it is also "bypassed". Unfortunately for BufferZone, I can't see a way to enable "Drop Rights" or similar?

However, BufferZone (apparently) prevents the POC from running on Windows XP (just like Sandboxie).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie bypassed

Post by ssj100 on 8/2/2011, 05:10

Update: tzuk has identified the problem and will release a Beta version to test soon:
http://www.sandboxie.com/phpbb/viewtopic.php?p=63871#63871
Thanks for this problem report, I've looked into this. It was really a very small bug.

What this program does is contact the Security Account Manager (SAM) component of Windows and ask to create a new account. Sandboxie already traps this request and wants to strip Administrator group membership prior to actually issuing the request. Which is why this request is actually blocked on Windows XP.

Just before stripping group membership, Sandboxie evaluates the security token to see if this is actually necessary. This means getting information about the security token into a memory buffer. The mistake I made was to have a small memory buffer. That works fine on XP but on Vista/7 there is a lot more security information and the memory buffer was just not big enough.

I made the memory buffer larger, and that fixes the Administrator-stripping logic. Sorry about this oversight.

I am aiming to release version 3.53.01 towards the end of this week or early next week so you should be able to confirm this fix at that time.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Sandboxie bypassed

Post by p2u on 8/2/2011, 11:18

ssj100 wrote:Update: tzuk has identified the problem and will release a Beta version to test soon

Good news!

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Sandboxie bypassed

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum