[News] 0 day discovered in Sandboxie

Status
Not open for further replies.

Aura

Level 20
Thread author
Verified
Jul 29, 2014
966
Maybe it was created by him?

IcY used to be a Black Hat, a very good one too, but he turned completely White Hat and is also developping security tools right now, so I doubt it was him. He was also so happy to have found a 0-day exploit and reported it straight to Sandboxie, who didn't cameback to him yet. He even asked me what he should do with it. I told him to report the 0-day, make a video showing it to alert users on HF. He's a good guy. He also left Black Hat Hacking months, if not a good year ago.
 

Kent

Level 10
Verified
Well-known
Nov 4, 2013
468
Hey guys Aura here,

I was just wondering if you were aware that there's a 0-day in every version of Sandboxie right now. As it been reported it already or not ? If not, I'll add more information to it. If it is, just close this thread please.

It's a 0-day that have been discovered by one of my friend on HF. He reported it to Sandboxie but didn't get a reply for it yet. He made 2-3 videos showing it and even Teamviewed into one of my Windows 7 Professional SP1 64-bits VM to show me it and it worked flawlessly.

What do you think ?
Nooooooooooo :eek::eek::eek::eek::eek::eek::eek::eek: Many considered it sacred,and had a great faith in it :oops:
 

Aura

Level 20
Thread author
Verified
Jul 29, 2014
966
Nooooooooooo :eek::eek::eek::eek::eek::eek::eek::eek: Many considered it sacred,and had a great faith in it :oops:

I know.
But even straight from the start, I knew that Sandboxie would never be 100% secure. Hence when I analyze malware samples, I analyze them in an insolated VM in which I use Sandboxie. Way more secure this way.
 
  • Like
Reactions: Kent
D

Deleted member 178

The question is : does the malware did some changes in the system AFTER the sandbox contents is deleted?

If no, sbie works as it should
 

Aura

Level 20
Thread author
Verified
Jul 29, 2014
966
The question is : does the malware did some changes in the system AFTER the sandbox contents is deleted?

If no, sbie works as it should

IcY successfully accessed my desktop and was able to run a .bat file that did output a .txt file in random folders that weren't inside the Sandboxie environment.
 
D

Deleted member 178

IcY successfully accessed my desktop and was able to run a .bat file that did output a .txt file in random folders that weren't inside the Sandboxie environment.

and does this txt file was still present after the sandbox is closed and its content deleted?
 

Aura

Level 20
Thread author
Verified
Jul 29, 2014
966
and does this txt file was still present after the sandbox is closed and its content deleted?

It was still present after the Sandbox was closed yes. But I couldn't tell for the content. Usually, I empty the Sandbox after every use but I don't remember in this case. I'll get IcY to re-do it, test that and comeback to you after. I'll also ask him if he can modify something in the registry or delete a folder on my system like that too.
 
  • Like
Reactions: Deleted member 178
D

Deleted member 178

It was still present after the Sandbox was closed yes. But I couldn't tell for the content. Usually, I empty the Sandbox after every use but I don't remember in this case. I'll get IcY to re-do it, test that and comeback to you after. I'll also ask him if he can modify something in the registry or delete a folder on my system like that too.

yes that will be more instructive, i remember running a ransomware in it (default setting) , the malware was active and locked my explorer but after rebooting no changes were made on my system.
 

Malware1

Level 76
Sep 28, 2011
6,545
Hello-

We have reviewed the information you have provided and determined that the malware is not actually escaping the sandbox, but is displaying a native message box, which does not get closed when the sandbox is restored. The remainder of the malware attack was fully contained.

Thank you for the report.

Regards,
Sandboxie Support
support@sandboxie.com
Let's wait for the reply regarding the other bypass.
 

Aura

Level 20
Thread author
Verified
Jul 29, 2014
966
Let's wait for the reply regarding the other bypass.

Alright, I'll contact IcY for more in-depth tests so if you have anything else you want him to try, tell me and I'll tell him during the test session.
 
D

Deleted member 178

why not asking him to put a RAT somewhere in the system then trying to reach it to disable sandboxie and other AVs :D
 
D

Deleted member 178

still waiting lol; by the way from what i understand it is not a "0-day" that it is mentioned but a "potential" vulnerability, so the thread title should be edited
 
  • Like
Reactions: WinXPert

Aura

Level 20
Thread author
Verified
Jul 29, 2014
966
still waiting lol; by the way from what i understand it is not a "0-day" that it is mentioned but a "potential" vulnerability, so the thread title should be edited

I'm trying to get a old of IcY but he's not been on a lot lately and I don't have his Skype, which I should ask him at the same time.
And apparently, this exploit is done by exploiting a vulnerable Windows service from inside Sandboxie.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top