[News] 0 day discovered in Sandboxie

[Malware1]

Does anyone know any screen recorder that records UAC screen?

 

[Malware1]

Here's a video:

https://onedrive.live.com/redir?resid=B14B8601740A2DFA!459&authkey=!ANmpxrWHEPwVHsM&ithint=video,avi

The screen is black when the UAC alert appears.

 

[Aura]

Here's a video:

https://onedrive.live.com/redir?resid=B14B8601740A2DFA!459&authkey=!ANmpxrWHEPwVHsM&ithint=video,avi

The screen is black when the UAC alert appears.

I'll ask IcY if he can download your sample to decompile it and see if it uses the same bypass technique that he discovered.

 

[Malware1]

I'll ask IcY if he can download your sample to decompile it and see if it uses the same bypass technique that he discovered.

Maybe it was created by him?

 

[Aura]

Maybe it was created by him?

IcY used to be a Black Hat, a very good one too, but he turned completely White Hat and is also developping security tools right now, so I doubt it was him. He was also so happy to have found a 0-day exploit and reported it straight to Sandboxie, who didn't cameback to him yet. He even asked me what he should do with it. I told him to report the 0-day, make a video showing it to alert users on HF. He's a good guy. He also left Black Hat Hacking months, if not a good year ago.

 

[Kent]

Hey guys Aura here,

I was just wondering if you were aware that there's a 0-day in every version of Sandboxie right now. As it been reported it already or not ? If not, I'll add more information to it. If it is, just close this thread please.

It's a 0-day that have been discovered by one of my friend on HF. He reported it to Sandboxie but didn't get a reply for it yet. He made 2-3 videos showing it and even Teamviewed into one of my Windows 7 Professional SP1 64-bits VM to show me it and it worked flawlessly.

What do you think ?

Nooooooooooo Many considered it sacred,and had a great faith in it

 

[Aura]

Nooooooooooo Many considered it sacred,and had a great faith in it

I know.
But even straight from the start, I knew that Sandboxie would never be 100% secure. Hence when I analyze malware samples, I analyze them in an insolated VM in which I use Sandboxie. Way more secure this way.

 

[Deleted member 178]

The question is : does the malware did some changes in the system AFTER the sandbox contents is deleted?

If no, sbie works as it should

 

[Malware1]

The question is : does the malware did some changes in the system AFTER the sandbox contents is deleted?

If no, sbie works as it should

No. But it probably would be possible to do more than opening windows outside the sandbox.

 

[Deleted member 178]

No. But it probably would be possible to do more than opening windows outside the sandbox.

default setting: surely
custom setting: very hard to bypass it.

 

[Aura]

The question is : does the malware did some changes in the system AFTER the sandbox contents is deleted?

If no, sbie works as it should

IcY successfully accessed my desktop and was able to run a .bat file that did output a .txt file in random folders that weren't inside the Sandboxie environment.

 

[Deleted member 178]

IcY successfully accessed my desktop and was able to run a .bat file that did output a .txt file in random folders that weren't inside the Sandboxie environment.

and does this txt file was still present after the sandbox is closed and its content deleted?

 

[Aura]

and does this txt file was still present after the sandbox is closed and its content deleted?

It was still present after the Sandbox was closed yes. But I couldn't tell for the content. Usually, I empty the Sandbox after every use but I don't remember in this case. I'll get IcY to re-do it, test that and comeback to you after. I'll also ask him if he can modify something in the registry or delete a folder on my system like that too.

 

[Deleted member 178]

It was still present after the Sandbox was closed yes. But I couldn't tell for the content. Usually, I empty the Sandbox after every use but I don't remember in this case. I'll get IcY to re-do it, test that and comeback to you after. I'll also ask him if he can modify something in the registry or delete a folder on my system like that too.

yes that will be more instructive, i remember running a ransomware in it (default setting) , the malware was active and locked my explorer but after rebooting no changes were made on my system.

 

[Malware1]

Hello-

We have reviewed the information you have provided and determined that the malware is not actually escaping the sandbox, but is displaying a native message box, which does not get closed when the sandbox is restored. The remainder of the malware attack was fully contained.

Thank you for the report.

Regards,
Sandboxie Support
support@sandboxie.com

Let's wait for the reply regarding the other bypass.

 

[Aura]

Let's wait for the reply regarding the other bypass.

Alright, I'll contact IcY for more in-depth tests so if you have anything else you want him to try, tell me and I'll tell him during the test session.

 

[Deleted member 178]

why not asking him to put a RAT somewhere in the system then trying to reach it to disable sandboxie and other AVs

 

[Overkill]

Has it been confirmed that changes were made?

 

[Deleted member 178]

still waiting lol; by the way from what i understand it is not a "0-day" that it is mentioned but a "potential" vulnerability, so the thread title should be edited

 

[Aura]

still waiting lol; by the way from what i understand it is not a "0-day" that it is mentioned but a "potential" vulnerability, so the thread title should be edited

I'm trying to get a old of IcY but he's not been on a lot lately and I don't have his Skype, which I should ask him at the same time.
And apparently, this exploit is done by exploiting a vulnerable Windows service from inside Sandboxie.