Sandboxie escape vulnerability? [DISPUTED - Not able to repro]

If it's not about a problem in the program
Post Reply
SB user
Posts: 3
Joined: Mon Jul 18, 2016 5:37 pm

Sandboxie escape vulnerability? [DISPUTED - Not able to repro]

Post by SB user » Thu Nov 08, 2018 5:05 pm

This was posted on Oct 29, 2018 (ten days ago) on the US-CERT Vulnerability Summary page:

Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system("cmd") or os.system("powershell"), within a .py file.


They have reference links as follows:

https://nvd.nist.gov/nvd.cfm?cvename=CVE-2018-18748

https://github.com/sandboxescape/Sandbo ... pe-Exploit


The GitHub page also lists this link:

http://cve.mitre.org/cgi-bin/cvename.cg ... 2018-18748


I haven't seen anything here at the forum, unless I am missing it. There doesn't appear to be any information on the GitHub site. Is this some elaborate hoax? I'd think something like this would be lighting up the Sandboxie forum. I admit I do not understand the above described vulnerability, but a published way to escape the sandbox sounds pretty alarming. Can anyone comment on this? Thanks in advance.

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2858
Joined: Mon Nov 07, 2016 3:10 pm

Re: Sandboxie escape vulnerability?

Post by Barb@Invincea » Fri Nov 09, 2018 10:51 am

Hello SB user ,

Those links do not specify anything. However, we performed the following tests (I got the dev team involved as well) :

Created a bat file with: python -c "import os; os.system('cmd.exe')"
Run it as admin inside the sandbox -- > Unable to modify files on the host
Run it as normal user, inside the Sandbox --> Unable to modify files on the host

Run CMD directly in the Sandbox, and punched python -c "import os; os.system('cmd.exe')"
Attempted to create/delete files --> Unable to modify files on the host

Every time, Immediate recovery would come up as expected, and files were created inside Sandboxie.
Also, CMD was running under anonymous logon, as expected.
We also tested using powershell.exe, instead of cmd, with the same results.

If you have any additional information, please let us know. Otherwise, we are not seeing any issues.

Regards,
Barb.-

SB user
Posts: 3
Joined: Mon Jul 18, 2016 5:37 pm

Re: Sandboxie escape vulnerability? [unable to repro]

Post by SB user » Sun Nov 11, 2018 7:16 pm

Barb,

Thanks for the quick reply. I follow a very popular website for Windows, and in their forum they have a section for security issues. As part of that they have a link each week for the US-CERT Vulnerability Summary page. This is put out by the Department of Homeland Security. It's a huge list of all the vulnerabilities discovered for the previous week. Many go there to see if there are any vulnerabilities that might affect them. In the forum post they do a summary list of some of the key products affected that they feel may be of interest to the readers. This one listed Sandboxie, so I went to the website and read what it said. I pretty much summarized that above. Here's the original link:

https://www.us-cert.gov/ncas/bulletins/SB18-309-0

It's alphabetical, so just scroll down and look on the left until you get to Sandboxie. I am not knowledgeable on these things, I just saw Sandboxie on a very well-known Department of Homeland Security bulletin, so I wanted to ask if you were aware of this. I have no idea what it takes to get listed on there, who may have done it, or if it is a hoax. I also thought perhaps if this is erroneous you might like to try to get it removed.

Thanks for looking into this. If you are able to find out anything more please post it here. I am still concerned that the person who did this may be legit and just didn't provide the full details so you weren't able to duplicate it.

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2858
Joined: Mon Nov 07, 2016 3:10 pm

Re: Sandboxie escape vulnerability? [unable to repro]

Post by Barb@Invincea » Mon Nov 12, 2018 9:53 am

Hello SB user ,

That link does not provide anything new. It states it has not been calculated, and that's about it.
Our mgmt team reached out to Mitre regarding this to see if they can remove it, and/or provide any details.

If you come up with any repro steps or information, please let us know. As of now, this is NOT an issue.

Regards,
Barb.-

Crazy
Posts: 29
Joined: Tue Jul 17, 2018 5:47 am

Re: Sandboxie escape vulnerability?

Post by Crazy » Mon Nov 12, 2018 11:02 am

Barb@Invincea wrote:
Fri Nov 09, 2018 10:51 am
Hello SB user ,

Those links do not specify anything. However, we performed the following tests (I got the dev team involved as well) :

Created a bat file with: python -c "import os; os.system('cmd.exe')"
Run it as admin inside the sandbox -- > Unable to modify files on the host
Run it as normal user, inside the Sandbox --> Unable to modify files on the host

Run CMD directly in the Sandbox, and punched python -c "import os; os.system('cmd.exe')"
Attempted to create/delete files --> Unable to modify files on the host

Every time, Immediate recovery would come up as expected, and files were created inside Sandboxie.
Also, CMD was running under anonymous logon, as expected.
We also tested using powershell.exe, instead of cmd, with the same results.

If you have any additional information, please let us know. Otherwise, we are not seeing any issues.

Regards,
Barb.-
According to this: https://github.com/sandboxescape/Sandbo ... README.doc

The vulnerable Windows version is: Microsoft Windows [版本 6.1.7601]

That version is Windows 7, Service Pack 1 and Windows Server 2008 R2, SP1. Have you tried to reproduce the "exploit" in those two Windows versions?

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2858
Joined: Mon Nov 07, 2016 3:10 pm

Re: Sandboxie escape vulnerability? [unable to repro]

Post by Barb@Invincea » Mon Nov 12, 2018 11:15 am

UPDATE:

No difference, results were the exact same on Windows 7.
Also, as stated, the vulnerability is now "disputed" .

---------------------- X ----------------------
Hi Crazy,

That information was not available last week. I'll give it a go and update this thread.
Let me know if you found any issues with it as well.

Thanks!
Barb.-

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests