Sandbox bypassed or..?

Please post your problem description here

Moderator: Barb@Invincea

BUCKAROO
Posts: 207
Joined: Sun Oct 24, 2010 3:13 am

Re: Sandbox bypassed or..?

Post by BUCKAROO » Sat Mar 21, 2015 5:28 am

They probably use LsaStorePrivateData function
storing a local object with prefix "L$". Hint! :wink:

So how to clear this area if it is spammed...?
Can it be exploited otherwise? Don't think so.

REM https://technet.microsoft.com/en-us/sys ... 97553.aspx
psexec -i -s cmd.exe

REM from an Admin cmd prompt we gained System.
regedit
jump to HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets

danicx
Posts: 65
Joined: Tue Aug 28, 2012 2:23 pm

Re: Sandbox bypassed or..?

Post by danicx » Sat Mar 21, 2015 5:48 am

BUCKAROO
heh i finded this reghive to. But i tried to set HKEY_LOCAL_MACINE\ and HKEY_USERS\ in SB settings (i setted read-only access). Its not helps. It seems sandboxie realy cant set restriction to some reg hives.

BUCKAROO
Posts: 207
Joined: Sun Oct 24, 2010 3:13 am

Re: Sandbox bypassed or..?

Post by BUCKAROO » Sat Mar 21, 2015 8:04 am

nah. Sbie well and truly sandboxes the registry by now, I would say.
But here, lsass.exe (unsandboxed SYSTEM process) was marshalling. :/

[GlobalSettings]
ClosedIpcPath=\RPC Control\LSARPC_ENDPOINT

Comment= or under [DefaultBox]

No idea what else it will block/break, probably browsery things heh.

Sbie needs a "SandboxieLsass.exe" like it has a SandboxieCrypto.exe?
No, SandboxieRpcSs.exe could proxy? Maybe need SandboxieSpooler.exe? :wink:

danicx
Posts: 65
Joined: Tue Aug 28, 2012 2:23 pm

Re: Sandbox bypassed or..?

Post by danicx » Sat Mar 21, 2015 9:32 am

But this setting prevents software setup...

BUCKAROO
Posts: 207
Joined: Sun Oct 24, 2010 3:13 am

Re: Sandbox bypassed or..?

Post by BUCKAROO » Sat Mar 21, 2015 9:47 am

danicx wrote:But this setting prevents software setup...
There, I learned something new. I didn't test the installer but the main program exe to notice that "The system cannot open the device or file specified." during setup...

Solution: Make 'em portable, or, and I am thinking out loud again, create an InjectDll to detour appropriate funcs, but wouldn't be as secure as what Curt can accomplish.

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1671
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Sandbox bypassed or..?

Post by Curt@invincea » Sat Mar 21, 2015 11:59 pm

I really don't want to let the entire world in on how to crack this software. I don't think there is any way this can be exploited, but I will research it further next week. Perhaps it should be part of SandboxieCrypto.

But this episode does bring out a couple of points.

1) I like UAC and think it is a good security feature of Windows. I always run with UAC enabled, even with Sandboxie loaded. It is not a big deal for me to click on a dozen or so popups per day. Disabling UAC basically means everything runs at high integrity without letting you know anything is happening.

2) The goal of Sandboxie is to prevent any permanent damage to your system. it is not possible to prevent anything from ever being stored outside the sandbox. There are many Windows features that just won't work otherwise. For example, the DNS cache is open to sandboxed processes.

danicx
Posts: 65
Joined: Tue Aug 28, 2012 2:23 pm

Re: Sandbox bypassed or..?

Post by danicx » Sun Mar 22, 2015 8:43 am

IMHO
1) I tested uac with test screenlocker emulator. It was bypassed very easy. I dont want to use tool that protect me 50/50. I dont know where is a good 50% and where is the bad.
2) This software realy not need so great privileges. And it works without it. So may be possible to give sandboxie users some controll for "necessary" software actions?

Thank for your attention Curt .
I will wait for your researches and will monitor this thread

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Sun Mar 22, 2015 12:24 pm

Curt@invincea wrote:I really don't want to let the entire world in on how to crack this software.
I agree but as danicx points out, this software should not require elevate privilege.
Curt@invincea wrote:1) I like UAC and think it is a good security feature of Windows. I always run with UAC enabled, even with Sandboxie loaded. It is not a big deal for me to click on a dozen or so popups per day. Disabling UAC basically means everything runs at high integrity without letting you know anything is happening.
You could make UAC a reccomendation in the Sandboxie explanations, or make Sandboxie Drop Rights a default setting.
Curt@invincea wrote:2) The goal of Sandboxie is to prevent any permanent damage to your system.
"permanent damage" has always been described as "permanent changes" as long as I have ever known.

UAC may not necessarily be the true culpret. It may be something else and you only effect it with UAC.

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Sun Mar 22, 2015 12:39 pm

Actually, I apologize. It does state on the Drop Rights page,
"Sandboxie has to disable only a few security rights from the programs it supervises in
order to guarantee isolation."

So without the drop rights being set, isolation is not a guarantee. hmmm Maybe that covers this? :?

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1671
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Sandbox bypassed or..?

Post by Curt@invincea » Mon Mar 23, 2015 12:48 pm

JoeHood wrote:
Curt@invincea wrote:I really don't want to let the entire world in on how to crack this software.
I agree but as danicx points out, this software should not require elevate privilege.
I haven't verified this, but what they are probably doing is detecting that UAC is disabled before they attempt this trick. Because I doubt they want a UAC dialog to popup when it is not expected. That is just another reason not to disable UAC.

Post Reply

Who is online

Users browsing this forum: No registered users and 15 guests