KeePass -Drag-n-drop failure with Firefox

[Binky]

I am using KeePass v2.36 and attempting to drag-n-drop the username and password from an entry into Firefox. Works fine when Firefox is not sandboxed. Fails to allow drop with Sandboxie v5.14 or v5.20. Same behavior for 32-bit Firefox ESR v45.9.0 and Firefox ESR v52.2.0. Same behavior on Win7 x64 and Win8.1 x64.

KeePass is available at http://keepass.info/
Help on drag-n-drop: http://keepass.info/help/base/usingpws.html#dragdrop
Create a new database in KeePass. It contains Sample Entry #2, which can be used with http://keepass.info/help/kb/testform.html

[bjm]

Um, did you try running KeePass inside the same sandbox as Firefox....e.g.,

KeePass Database.png

pic is 2.35
>> https://www.wilderssecurity.com/threads ... st-2656825

[Binky]

Um, did you try running KeePass inside the same sandbox as Firefox....e.g.,

Firefox frequently publishes security updates. Many of the vulnerabilities allow web code to escape Firefox's own sandbox. The black hat folks know about some of these vulnerabilities before Firefox publishes an update. Therefore, the best way for me to protect against these 0-day vulnerabilities is to keep KeePass out of Sandboxie's sandbox containing Firefox. Drag-n-drop is more secure than the clipboard for entering username and password. Therefore, I would like Sandboxie to fix this bug. Wouldn't you too?

[bjm]

Um, did you try running KeePass inside the same sandbox as Firefox....e.g.,

Firefox frequently publishes security updates. Many of the vulnerabilities allow web code to escape Firefox's own sandbox. The black hat folks know about some of these vulnerabilities before Firefox publishes an update. Therefore, the best way for me to protect against these 0-day vulnerabilities is to keep KeePass out of Sandboxie's sandbox containing Firefox. Drag-n-drop is more secure than the clipboard for entering username and password. Therefore, I would like Sandboxie to fix this bug. Wouldn't you too?

Hmm, "fix this bug".... IDK.
Sandboxie satisfies and KeePass satisfies.

I have KeeFox installed/disabled for browser integration... albeit, seldom if ever use since KeePass Auto-Type satisfies.
I have a dedicated KeePass sandbox for drag-n-drop.... albeit, seldom if ever use since KeePass Auto-Type satisfies.

Just me.
Cheers
Edit: KeePass v2.36 drag-n-drop works in my dedicated KeePass sandbox.

[Barb@Invincea]

Hello Binky,

We have an existing thread for this. Please have a look:
viewtopic.php?f=5&t=13143&hilit=keepass

Regards,
Barb.-

[Binky]

Hello Barb,

In this thread, user bjm repeats a suggestion from the thread you linked. Please see my earlier response as to why that is unacceptable for security reasons.

Drag-n-drop works fine when Firefox is not sandboxed. This is clear evidence that the problem is with Sandboxie. Please fix.

[Barb@Invincea]

Hello Binky,

Currently, the only way to get it to work is the workaround provided in the existing threads.
Regarding your concern, you would be running Firefox + its own Sandbox + Sandboxie, so chances of something escaping are pretty low (nothing is impossible, however).

I am wondering if this is related:
viewtopic.php?f=11&t=24469&p=128265&hil ... sh#p128228

Have you tried both Firefox x64 and x86?

Regards,
Barb.-

[Binky]

Currently, the only way to get it to work is the workaround provided in the existing threads.

I can wait for a Sandboxie beta to fix the bug.

Regarding your concern, you would be running Firefox + its own Sandbox + Sandboxie, so chances of something escaping are pretty low (nothing is impossible, however).

I also run Flash Player, Foxit Reader, LibreOffice, VLC Media Player, etc. in the sandbox with Firefox. They all work great together. I just don't want the Black Hats being able to hack the KeePass application and database, which is possible when in the same sandbox.

I share my PC with a highly non-technical user, who is quite happy with my setup with one sandbox for Firefox and with one Firefox profile. Please fix the bug instead of requesting users degrade usability and administrators (me) increase configuration complexity and maintenance hours.

I am wondering if this is related:
viewtopic.php?f=11&t=24469&p=128265&hil ... sh#p128228

No, neither Firefox or KeePass is crashing.

Have you tried both Firefox x64 and x86?

I only use Firefox ESR x86 because of various compatibility problems presently with Firefox ESR x64.

[bo.elam]

I also run Flash Player, Foxit Reader, LibreOffice, VLC Media Player, etc. in the sandbox with Firefox. They all work great together. I just don't want the Black Hats being able to hack the KeePass application and database, which is possible when in the same sandbox.

Binky, I think you should consider running programs like LibreOffice, VLC Media Player, etc, in their own sandbox, you ll be a lot more secure if you do so. Regarding Foxit, you can run it in its own sandbox when PDF is in your hard drive and set it up in your Firefox sandbox to run out of the browser, allow it to run in the sandbox and dont allow it to connect to the internet.

Then your only worry would be Flash. You ll solve Flash by not mixing browsing that require passwords/other sensitive browsing with regular browsing. Do sensitive browsing in a fresh browsing session and delete the sandbox immediately after you finish before going back to browsing that dont require passwords. Doing this thing make you more secure and using the workaround suggested by bjm becomes more secure as well.

Bo

[Binky]

Binky, I think you should consider running programs like LibreOffice, VLC Media Player, etc, in their own sandbox, you ll be a lot more secure if you do so. Regarding Foxit, you can run it in its own sandbox when PDF is in your hard drive and set it up in your Firefox sandbox to run out of the browser, allow it to run in the sandbox and dont allow it to connect to the internet.

I already have separate sandboxes for Foxit Reader, LibreOffice and VLC Media Player (with Sandboxie forced program) for when I view files on the hard disk. And, yes, I don't allow these programs to connect to the internet in these dedicated sandboxes. Note that this configuration doesn't not reduce usability for my highly non-technical user.

Then your only worry would be Flash. You ll solve Flash by not mixing browsing that require passwords/other sensitive browsing with regular browsing. Do sensitive browsing in a fresh browsing session and delete the sandbox immediately after you finish before going back to browsing that dont require passwords. Doing this thing make you more secure and using the workaround suggested by bjm becomes more secure as well.

I solve the security problem with sharing Flash, Foxit Reader, LibreOffice and VLC Media Player in the sandbox with Firefox by always closing Firefox (and thus emptying the sandbox) before going to a site that requires passwords. My highly non-technical user is able to remember this rule.

I believe that my scheme of having KeePass outside of Firefox's sandbox is more secure than your suggestion to put KeePass inside Firefox's sandbox. So far, not one user has suggested that it is impossible for KeePass to get hacked inside Firefox's sandbox.

If everyone (but me) keeps suggesting to reduce security and/or usability to work around this Sandboxie bug, Sandboxie developers may feel like they don't need to fix this bug. Everyone, please support my bug-fix request. It is clearly in the best interest of all!

[bo.elam]

If everyone (but me) keeps suggesting to reduce security and/or usability to work around this Sandboxie bug, Sandboxie developers may feel like they don't need to fix this bug. Everyone, please support my bug-fix request. It is clearly in the best interest of all!

Consider this. I think what you are calling a bug sounds more like a setting on the Sandboxie side is missing to make KeePass work with sandboxed Firefox as it does with Firefox outside the sandbox. Perhaps Sandboxie developers can implement the setting but to do so they would have to open a big hole in Sandboxie when you apply the setting. Most compatibility settings open a hole. You might end up less secure. I dont know, I am just writing what I see. Greetings, Binky.

Bo

[Binky]

I would welcome a setting or KeePass template to solve the problem. Note that other applications work with Sandboxie using Drag-n-drop: viewtopic.php?f=11&t=21992

[Barb@Invincea]

Hello Binky,

I spoke with the devs about this. Creating a template would allow the same information you want to hide to make into the Sandbox (templates are usually holes opened in the Sandbox in order to allow direct communication with programs ). Thus, it would not change things security wise.

There are currently no plans of creating a template for this application. However, if anything new comes up, we will update this thread.

Regards,
Barb.-

[bjm]

I believe that my scheme of having KeePass outside of Firefox's sandbox is more secure than your suggestion to put KeePass inside Firefox's sandbox. So far, not one user has suggested that it is impossible for KeePass to get hacked inside Firefox's sandbox.

My KeePass Auto-Type with two-channel obfuscation....is outside of Firefox's sandbox, as far as I know.

Thanks

[BoxedSunshine]

I believe that my scheme of having KeePass outside of Firefox's sandbox is more secure than your suggestion to put KeePass inside Firefox's sandbox. So far, not one user has suggested that it is impossible for KeePass to get hacked inside Firefox's sandbox.

My KeePass Auto-Type with two-channel obfuscation....is outside of Firefox's sandbox, as far as I know.

Thanks

Yes.
You can run Keepass in its own volatile sandbox (hardened).
Also, keystroke encryption software can provide help.

Running your password-manager, with an Internet facing application,
is less effective than just isolating one of them (imo).