From: Dustin Cook on
ASCII <me2(a)privacy.net> wrote in news:4b3f0974.437593(a)EDCBIC:

> Dustin Cook wrote:
>>ASCII <me2(a)privacy.net> wrote in news:4b3e6e84.1479531(a)EDCBIC:
>>
>>> Dustin Cook wrote:
>>>>
>>>>You may want to be running one of the new betas of sandboxie;
>>>
>>> v3.43.09b
>>> is that recent enough to address your fugitive app?
>>
>>Nope. I got that beta as soon as tzuk released it. The file, IE.exe is
>>still able to escape the sandbox and remove itself from the real hard
>>drive.
>
> Lemme guess, it uses the quick recovery feature to escalate
> privileges?

Heh, no. And the new v.10 beta clears it up.
The sandboxie forum has all the glory details if you wish to view them.

>>> Other than a form of self-stealthing,
>>> what else can it do when it escapes,
>>> muck around with the system?
>>
>>No stealthing involved, simply it's demonstrating it's ability to make
>>changes outside of the sandbox environment; ie, deleting itself from a
>>forced folder.
>
> Deleting itself,
> regardless of whatever devilment it did,
> is a form of stealthing, no?

Hmm, that would be a new twist on me then. I don't consider files which
make an effort to self destruct a manner of stealth, no.

>>> IOW: How much payload cargo can it take with?
>>
>>As I believe this is just a proof of concept version, it doesn't
>>contain any payload; but it very well could use the same trickery to
>>delete other files present on the hard disk, besides itself.
>
> Would have to manipulate them into some forced folder first,
> and that's after assigning such a folder?

No. You run the sample, "sandbox" it; and it deletes itself from the real
hard disk; and if your using a stock version of sandboxie without the
wonderful .dll addons; you won't even get to see the present it leaves
behind. It manipulated sandboxie, but that as I said, has been corrected
with beta 10

> Curious could it drop one of the wipe appz like Eraserl or SDelete
> into the command line, or is it limited to RMDIR, which could be
> recovered? ..additionally, I'd guess this action still occurs within
> the VM, or can the actual program application be affected, especially
> it the path isn't the known common C:\Program Files\Sandboxie but had
> been altered?

RMDIR? RMDIR removes a folder; not a file. And no, it doesn't use that
command; and no, you can't quick recover anything. The action occurs on
the real hard disk, while your running it under the VM (sandboxie). Ie:
you right click the file, run it sandboxed; poof; the real file just
disappeared.

While I smoke another cig, why don't you get yourself an education on
things beyond, simple dos commands. Here's the thread which discusses in
nice geeky detail what went down, how and why...

http://www.sandboxie.com/phpbb/viewtopic.php?t=6982

Kudos to myself for reporting it in the first place. <G>




--
.... Those are my thoughts anyways...

From: Dustin Cook on
ASCII <me2(a)privacy.net> wrote in news:4b3f8723.2822843(a)EDCBIC:

> Dustin Cook wrote:
>>The file, IE.exe is
>>still able to escape the sandbox and remove itself from the real hard
>>drive.
>
> I went to the forum and browsed for any reference to IE.exe,
> but couldn't find anything, plus noticed that v3.43.10 has just replaced
> v3.43.09 in the past day, maybe addresses your POC?
>

http://www.sandboxie.com/phpbb/viewtopic.php?t=6982

And fyi, it isn't my POC; I didn't write it. It was delivered to me for
analysis as part of my job.


--
.... Those are my thoughts anyways...

From: Cronos on
PajaP wrote:

> I agree with you.
> See I just agreed with another troll. Though this time he is also a
> fuckwit.
> I am putting you in the killfile too as you are the one who started all
> the hostilities in the thread. Proving you are a fuckwit troll!!

Not a "fuckwit" troll, just a very good troll. I consider trolling an
art form and I am one of the best at it.
From: Dustin Cook on
ASCII <me2(a)privacy.net> wrote in news:4b3ff385.2691671(a)EDCBIC:

> Dustin Cook wrote:
>>
>>While I smoke another cig,
>
> Enjoy it, although I do give you the biz from time to time,
> it's a [your body - your business] affair to a liberal like myself.

I consider myself to be a liberal as well. Despite my past, which I
think? is the only thing you have against me; we probably would get
along.

> Every day I learn more,
> some days it seems I learn almost faster than I forget.

If you go a single day and don't learn something, your not breathing.
*grin*.

> I tried to follow as much as I could within my limited cyber
> education.

Shrug. Well, to sum it up; the file was able to rename itself and execute
the newly named copy; exploiting a now fixed vulnerability withen
sandboxie. This isn't your run of the mill malware sample, so I don't
want anyone to think the world was potentially coming to an end or
anything. :)

> Glad it's been addressed in the v3.43.10 as that's the one I have
> onboard. However,
> it doesn't sound like something trivial to accomplish
> even with the earlier versions.

Due to the security vulnerability in previous versions of Sandboxie, and
having been able to now write myself a test POC to see; I would have to
disagree. The manner in which sandboxie was being exploited was something
which I believe was overlooked; and I am glad it's been addressed in
beta10. Due to the relatively easy work required to write the code to
duplicate IE.exe's ability, I would seriously recommend all sandboxie
users upgrade to this version.

I have only seen 3 samples in a year actually do what this one did, and
if I hadn't preserved this one; I still wouldn't know about that issue,
and neither would tzuk. Which I feel is bad. :(

It's a neat trick, to sum it up; and I wouldn't have thought about trying
that myself. LoL.



--
.... Those are my thoughts anyways...

From: Dustin Cook on
ASCII <me2(a)privacy.net> wrote in news:4b40f64d.3403703(a)EDCBIC:

> Dustin Cook wrote:
>>
>>http://www.sandboxie.com/phpbb/viewtopic.php?t=6982
>>
>>And fyi, it isn't my POC; I didn't write it. It was delivered to me for
>>analysis as part of my job.
>
> But being the altruistic sort you've become these days,
> you sounded a clarion alarm for the benefit of the masses.

I felt it was something I should be doing. I'm a happy sandboxie user
myself, that was a serious problem I discovered, and I didn't feel safer
using sandboxie until it was fixed. IE: if this sample can do it, and now
that I'm able to write one that can as well; anybody! could do this, and do
alot of potential harm.

So yes, for the benefit of everyone, this had to come to light. Sandboxie
isn't just used to protect end users; Alot of people in my line of work
appreciate it's ability to allow study of malware and preserve things;
without the sometimes hassle of a full on VM or real test box.




--
.... Those are my thoughts anyways...