Sandboxed WMV file invokes IE, but IE didn't get sandboxed

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
Pinco Pallaccio

Sandboxed WMV file invokes IE, but IE didn't get sandboxed

Post by Pinco Pallaccio » Thu Aug 30, 2007 3:27 pm

Hi all,

I choose to test Sandboxie with a Windows Media Video file (.WMV) took from eMule, and I choose a 900kb (censored) file for this test (because I think some WMV are amongst the most dangerous ones, in some cases even GMER isn't able to detect rootkit in them, as stated on their site). I don't know if I'm allowed to paste the file name and the ED2K Link here, I won't do it until an admin/moderator says it's ok with the board rules. javascript:emoticon(':wink:')
Wink

Anyway, I simply right-clicked the file, and opened it with the option "Run Sandboxed". Then, the following happens: first, this file tipically tries to acquire a License; then, I deny the request by hitting the "Cancel" button; at this point, the WMV file automatically opens an IE instance, pointing to a web page.

The problem is that the IE session isn't sandboxed, despite being invoked by a program which I verified it is (Windows Media Player). I say this because:

- I saw the wmplayer.exe process is correctly sandboxed (the # signs are present in the WMP window, and wmplayer.exe is present in Sandboxie's sandboxed process list).
- The IE process invoked by WMP, by contrast, is not sandboxed (no # signs in the IE window, and no iexplore.exe process in Sandboxie's process list).

I tried this three times, and the result is the same. The test configuration I used is as follow:

- Windows 2000 Pro SP4 with all the security patches up to present.
- Windows 2000 runs inside VMWare 5.5.2 build-29772
- Windows Media Player 9.00.00.3354
- The Windows account used for this test belongs to the Users Group (no Admin rights).
- Sandboxie 3.01, installed the first time as Administrator, with all options as defaults, then logged off and run since then as the limited user (I mean with regular account logon, not under RunAs Service or other equivalents) with no other problems with apps like FF 2.0.0.6 and eMule 0.48A.
- I granted the limited account full ACL rights to the file %SystemRoot%\Sandboxie.ini.
- Everytime Sandboxie driver is correctly loaded as localsystem, process control.exe is running correctly, and the other two apps controlled by SandboxieRpcSs.exe (FF & eMule), too.

For some reasons I don't understand, it seems the WMV file managed to elude the security layer provided by the sandbox, because it didn't intercept the launch request made by WMP to open IE. Relevant note: having read on this forum about the problem (then revealed as false) regarding Icesword allegedly by-passing Sandboxie, it is important to say that I never launched this WMV file, nor any other multimedia file before, not inside neither outside Sandboxie, as my Windows-2000-inside-VMWare installation is new and I revert it back to original almost every day.

Any clue?

Please forgive my English and thanks a lot to Tzur for his great program and for his constant support in this forum, and to all of you.
Pinco Pallaccio, pincopallaccio@tiscali.it
A collaborative and happy Sandboxie user :-)
Top
street011
Posts: 412
Joined: Tue Jan 16, 2007 2:08 pm

Post by street011 » Thu Aug 30, 2007 4:11 pm

you can post anything gangerous as long as you put a warning to it.

i''d prefer if you'd upload it to rapidshare, as a lot of us won't use emule (very outdated way of getting content imho)

love to test it too though
Top
SnDPhoenix
Posts: 2690
Joined: Tue Dec 26, 2006 5:44 pm
Location: West Florida

Post by SnDPhoenix » Thu Aug 30, 2007 4:32 pm

Yep, what he said, emule's getting very outdated, and part of what started the ed2k network is dead, thats how bad ed2k is getting, plus since emule works off a point system, those who never use emule are gonna have a harder time getting the video (could take a week) than those who frequently use emule. Rapidshare ftw! :lol:
Top
Pinco Pallaccio

Post by Pinco Pallaccio » Fri Aug 31, 2007 9:46 am

I heard and used Rapidshare few times as a downloader, but never as an uploader. I tried now, so I put the files on it: it's great, really simple, "rapid" (of course!), and all for free, thanks for the tip! :-)

Sorry for the long post, I thought it better to explain all in details now, than adding them later.

Below are the links to the video and the snapshots taken by me. As suggested by street011, this is the disclaimer: please note that this short video and the snapshots might contain some static images which are for adult people. I posted the links here only for testing purposes strictly related to make one's system more secure. Furthermore, being the video a potentially dangerous file, I strongly don't suggest to execute it on "live" systems (I ran it under Sandboxie, as a limited user, and under VMWare Virtual Machine). Please don't download this file if you don't know what you're doing.

This is the short "static" video: http://rapidshare.com/files/52462898/video.wmv.
And these are the snapshots:

1) http://rapidshare.com/files/52462317/videosnapshot1.jpg. Before running the file with the "Run sandboxed" option, all the relevant processes and their PID are listed correctly both in Task Manager and Sanboxie process list. In Task Manager I ordered the processes alphabetically, so all the relevant ones are visible.

2) http://rapidshare.com/files/52462472/videosnapshot2.jpg. When the "Run sandboxed" option is clicked, for less or more than one second, in Sanboxie process list appears the "Start.exe" process which sanboxes the WMP process (this is not seen in the snapshot), then WMP is started, and once started it suddenly tries to acquire the License ("Acquisizione licenza" in Italian). At this point I hit the "Cancel" ("Annulla" in Italian) button to avoid installing the License.

3) http://rapidshare.com/files/52462546/videosnapshot3.jpg and http://rapidshare.com/files/52462615/videosnapshot4.jpg (The difference between these two snapshots is the Task Manager view: in the third image, the "Processes" view is visible, in the fourth image the "Applications" view is visible). Once hit the Cancel button, WMP apparently opens an IE window. Now I say "apparently" because while taking the snapshots, I noticed that no iexplore.exe is present in the Task Manager, but as you can see, no other instance of wmplayer.exe process is started (in Sandboxie and in Task Manager only one wmplayer.exe instance is present).

Note - If I, as an Administrator, revoke all ACLs rights to read/write/access the "%ProgramFiles%\Internet Explorer\" to every user group (including localsystem), and then login again as the limited user, and finally repeat the above described test, the IE window is opened anyway. Since even localsystem cannot access IE folder, in my understanding this means that neither Sandboxie is able to do it, nor any other user in the system.

So:

A) Despite the IE icon, this seems not to be an IE instance, but if it is not, strangely no second instance of wmplayer.exe is found in Task Manager.
B) Regardless if it is or not, no # signs are present in this window. Does this suggest this window is not sandboxed while instead the main WMP window is?

Thanks a lot for your attention and sorry again for the long post :-)
Pinco Pallaccio, pincopallaccio@tiscali.it
Top
street011
Posts: 412
Joined: Tue Jan 16, 2007 2:08 pm

Post by street011 » Fri Aug 31, 2007 10:20 am

what codec is the file? i can't seem to get it playing?

i'm using all the FFDShow codecs
Top
Guest

Post by Guest » Fri Aug 31, 2007 1:03 pm

Dear street011,

on my WMWare'd Windows 2000 SP4 + WMP v9.0, I didn't install any codec pack, except the official "Codec Installation Package for Windows Media Player 7.1 and later" for Windows 2000 (http://www.microsoft.com/windows/window ... nload.aspx).

But I don't think this video plays real content if you don't install its License before. I think it's the classic video (913kb) which wants to convince you to download a License, and then maybe install other executable(s) and/or subscribe you to other questionable sites (I say "maybe" because I didn't agree to install the Licence and pressed "Cancel" when WMP asked me if I wanted to).

When launched, after a few seconds, the video should immediately ask you to install a License, as seen in my "videosnapshot2.jpg" image (in Italian is "Acquisizione licenza", I think in English version of WMP it should say something like "Acquiring license"), but to my knowledge (or better, to my experience) the video don't play any multimedia content unless you install its License (which of course you shouldn't ;-) ).

Perhaps in Windows XP/Windows Vista and with WMP v10/v11 it behaves differently?
If I can be useful in giving further details, ask me freely.

Thank you again, :-)
Pinco Pallaccio
Top
Pinco Pallaccio

Post by Pinco Pallaccio » Fri Aug 31, 2007 1:05 pm

Sorry, I forgot to put my name in the last post: it was me :-)

Pinco Pallaccio
Top
Pinco Pallaccio

Post by Pinco Pallaccio » Fri Aug 31, 2007 1:48 pm

I did other two tests with the same file under WinXP (=in my first tests I used Win2000), and the results are different. The configuration I used is the same, except for the operating system itself:

- Windows XP SP2 with no further updates installed
- Windows XP runs under VMWare 5.5.2 build-29772
- Windows Media Player v9.00.00.3250
- Built-in Administrator account
- Sandboxie 3.01

...and these are the results:

1) If you right-click the video file to let it run under Sandboxie's control ("Run Sandboxed"), it gives you an error message which I can translate in English with something like that: "Windows Media Player isn't installed correctly. Please reinstall it".

2) If you double-click the video to let it run without Sandboxie, it runs and ask you to install the License etc.

So it seems that for some reasons, Sandboxie under Win2K & WinXP behave differently, despite software being the same (Sandboxie version, VMWare version, and WMP is almost the same version build - v9.00.00.xxxx).

Under WinXP SP2 without further updates, Sandboxie prevents this file from running: I don't know if this is positive or negative, but the video won't run; under Win2K SP4 with all the updates, the phenomenon is the one described in my posts in this thread.

Maybe someone has the possibility/ the will to test under Win2K?

Thanks to all,
Pinco Pallaccio
Top
SnDPhoenix
Posts: 2690
Joined: Tue Dec 26, 2006 5:44 pm
Location: West Florida

Post by SnDPhoenix » Fri Aug 31, 2007 4:40 pm

Well i just tried it on Vista, and this is what i get:

Image

Maybe it only works on 2000?
Top
Guest

Post by Guest » Fri Aug 31, 2007 6:13 pm

Dear SnDPhoenix,

I think you're right: it seems it a Windows 2000-only issue. I did the same test on a VMWare'd WinXP SP2 (see my last post before yours) and the message is exactly the same. In my test under XP, if you run the file un-sandboxed, it opens correctly; if you run it sandboxed it reports you the above mentioned error.

To summarize, it seems that:

1) Under Win2K the sandboxed WMV file runs, but one window appears not to be sandboxed.
2) Under WinXP/WinVista the file couldn't be opened only when run sandboxed.

In the second case, it seems more a functional problem, this maybe these type of files (the ones that requires a digital license for DRM-protected contents) create problems to Sandboxie when run sandboxed.

In the first case, if confirmed, it seems more a security problem, provided that the specific "IE window" started by WMP isn't sandboxed (since it's not enclosed between the two # signs, as seen in my images).

To clarify the alleged security issue, we need someone who can confirm/refute this results under Win2K.
Thanks a lot for your support, :-)
Pinco Pallaccio
Top
Post Reply

Return to “Problem Reports”

Who is online

Users browsing this forum: No registered users and 1 guest