comodo sandbox elevating privelege

View previous topic View next topic Go down

comodo sandbox elevating privelege

Post by neji19 on 1/10/2011, 21:30

I have used the latest version of comodo firewall and it works perfectly with my system and no compatibility problems. I use it because i think it's the best firewall as of now, and it's very easy to use and configure, by the way i'm an average computer user. I always use a limited account in my windows xp, as my first line of defense in windows security, and i also use surun if i have an application that requires adminitrative privilege. What i notice when i used comodo firewall, is that i can use an application in my limited account that requires an administrator privilege by simply putting these applications in "always sandbox" option in defense+ tab, even though i do not elevate this applications using surun. Is this normal in comodo sandox to elevate an application in a limited account. Thanks

neji19
New Member
New Member

Posts : 7
Join date : 2011-10-01
Age : 27
Location : Philippines

View user profile

Back to top Go down

Re: comodo sandbox elevating privelege

Post by ssj100 on 1/10/2011, 23:57

I haven't used Comodo Firewall for a long time, but that doesn't sound right (the fact that Comodo effectively elevates an application from having Limited rights to having Administrator rights). You should report it to the Comodo devs.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: comodo sandbox elevating privelege

Post by neji19 on 2/10/2011, 06:56

Yup, i think so, it doesn't sound right. Actually, i follow you security setup, so i always use limited account, implement srp, and use surun to elevate some applications that needs admin rights. I just notice that even though i do not give surun a permission to elevate those applications i use that needs admin rights, by simply putting it in comodo sandbox(manual), i can now use those applications in my limited account without a problem. I think i have to report it to comodo. Is there anyone in this forum experience this?

neji19
New Member
New Member

Posts : 7
Join date : 2011-10-01
Age : 27
Location : Philippines

View user profile

Back to top Go down

Re: comodo sandbox elevating privelege

Post by ssj100 on 2/10/2011, 07:14

Perhaps you can give a few steps to reproduce the problem? I could test it with Sandboxie too.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: comodo sandbox elevating privelege

Post by neji19 on 2/10/2011, 08:22

Well, if you can test the comodo firewall in virtualbox, i am very certain that it really elevate the privilege of an application in limited account, so you can reproduce it. In fact, to verify my observation, i uninstall surun in my windows xp, to make sure that there will be no reason for an application to elevate it's privilege under limited account. After i uninstall surun, i launched my applications that needs admin rights in my limited account, and as expected, of course it will not run. But , when i start to put those applications that needs admin rights under the comodo sandbox(manual), to be specific, is when i put those applications in "always sandbox" options in defense+ tab, in my surprise, i can now use those applications that needs admin rights under limited account without a problem, even though i uninstalled surun in my system. I hope you can reproduce the issue in virtualbox, for you to know what i mean. And i forgot to say, my restriction level under comodo sandbox(manual) is limited.

neji19
New Member
New Member

Posts : 7
Join date : 2011-10-01
Age : 27
Location : Philippines

View user profile

Back to top Go down

Re: comodo sandbox elevating privelege

Post by ssj100 on 2/10/2011, 08:23

I'll need to know exactly what application you're running sandboxed (and download link for it). Currently, I can't think of an application that absolutely needs Administrator rights to run.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: comodo sandbox elevating privelege

Post by neji19 on 2/10/2011, 09:11

Ok, one of these programs is garena client. This is a program used to connect to other players in the internet. When im in a limited account in windows xp, i cannot run this application, it needs admin account, so i elevate it using surun. but after i uninstalled surun, i just put it in comodo sandbox(manual), and now i can use it in my limited account with no problems. I try to put the link to download this application, but i am not allowed, because it says that im only a new member, and needs 7 days past before i can put a link. Search for garena client in google, or go to garena.com

neji19
New Member
New Member

Posts : 7
Join date : 2011-10-01
Age : 27
Location : Philippines

View user profile

Back to top Go down

Re: comodo sandbox elevating privelege

Post by ssj100 on 2/10/2011, 09:29

I don't think I can test that application properly since I don't have an account to login with. I can get to the login screen in a LUA on a cleanly installed Windows XP, SP3. Presumably Admin rights are required to go beyond that?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: comodo sandbox elevating privelege

Post by neji19 on 2/10/2011, 09:36

yup, you're definitely right, you cannot login in garena client if you don't have an admin account, thats why i elevate it using surun. But now i am using it in my limited account under comodo sandbox without problem, even though i already uninstalled surun in my system, that's strange..

neji19
New Member
New Member

Posts : 7
Join date : 2011-10-01
Age : 27
Location : Philippines

View user profile

Back to top Go down

Re: comodo sandbox elevating privelege

Post by neji19 on 2/10/2011, 09:41

you can use my account to try to login in garena client under limited account, to verify that you can't use this application under limited account, or you can register yourself.

neji19
New Member
New Member

Posts : 7
Join date : 2011-10-01
Age : 27
Location : Philippines

View user profile

Back to top Go down

Re: comodo sandbox elevating privelege

Post by ssj100 on 2/10/2011, 10:06

Okay I think I've worked it out. I can also reproduce the same thing with Sandboxie, which pretty much gives away the reason for this behaviour.

This application requires writing access into the C:\Program Files folder in order to run. When you try to run the application with Limited rights, it won't work, as Limited users can't write into the C:\Program Files folder.

However, when you run it sandboxed, you are sort of "tricking" the application so that it thinks it can write into the (sandboxed) C:\Program Files folder. With Sandboxie, this Program Files folder is (created) inside C:\Sandbox. Limited users can write within this C:\Sandbox folder. The REAL path of this folder will be something like:
C:\Sandbox\Limited User Account\DefaultBox\drive\C\Program Files\Garena Classic

Presumably Comodo's sandbox does something similar to Sandboxie's. Therefore, you aren't running the sandboxed application with Administrator rights - you're running it with Limited rights - SuRun actually confirms that it's running with Limited rights too (with the Green smiley face).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: comodo sandbox elevating privelege

Post by neji19 on 2/10/2011, 10:16

thanks for the explanation, i understand it now clearly, i just thought that it gains admin rights because i use it in limited account, even without using surun. The same goes maybe with other applications i have. This forum is great, thanks again

neji19
New Member
New Member

Posts : 7
Join date : 2011-10-01
Age : 27
Location : Philippines

View user profile

Back to top Go down

Re: comodo sandbox elevating privelege

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum