PUA/PUP-Testfile can be execute inside Sandbox. Security hazard?

Status
Not open for further replies.

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
It is considered rude in many fora. I am still new here.

Anyway. I am currently not using Sandboxie to sandbox my chrome. I think there are unanswered security questions. (global)
 
  • Like
Reactions: AtlBo
D

Deleted member 178

It is considered rude in many fora. I am still new here.
Who cares of other forums. We are here. if this is rude for you, wait my answers the day you wrote nonsense stuff. ;)

Anyway. I am currently not using Sandboxie to sandbox my chrome. I think there are unanswered security questions. (global)
Browser sandboxes and sandbox apps aren't the same; browser sandboxes are limited to web pages. Sandbox apps does more in term of overall security.
 

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
  • Like
Reactions: AtlBo
D

Deleted member 178

2013 reports made by a concurrent (bromium) using default settings? things changed since, if i recall well a fix was made.
 
  • Like
Reactions: harlan4096

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
My points stand though.
EDIT: Well actually only if you don't change the settings. Ok. Yet it troubles me why this is even possible in the first place.

Someone in another thread said it could cause issues with chromes own anti-malware protection measures. Do you know anything about that?
Thanks for your answers :)
 
  • Like
Reactions: AtlBo

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Nul- I don't know if this will help, but I'll try- Two of the best virtualization routines available to the home User are Sandboxie and Comodo. Both are excellent and have withstood the test of time. The main difference is that Sandboxie is On-Demand )ie only the stuff that the user decides to be sandboxed will be sandboxed) whereas with Comodo (auto-sandbox), anything hat is not perceived as legitimate will be sandboxed WITHOUT ANY USER INTERVENTION.

Conclusions:

1). Both SBIE and CF sandboxes are top notch (especially as SBIE closed a hole I pointed out a year ago).
2). both have settings to stop sandboxed stuff from connecting out- absolutely ESSENTIAL to stop data stealers and assorted metasploit crap) .
3). Comodo will protect you from being an Airhead (like me), as it wil sandbox things automatically that you forget to do yourself because you are on the Phone with your Sister. With Sandboxie, if you forget to sandbox something and still run it you are (insert Word here that rhymes with Duct).
 

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
I am not sure that I can trust a program that hinders AV solutions to see malware running inside it. (See OP)

Then consider this: Malware on a page interchanges google-update.exe (Which I would have to add to executable programs list in order to use Chrome inside Sandboxie) with it self. Now it can run inside the Sandbox. Also no antivirus detects it because Sandbox.
Or what about Malware-pages running a false chrome.exe? It could run no problem, (Since no hashing of allowed processes or anything similar) yet no anti-virus solution is able to see it. Then it simply writes code to RAM and executes it to escape the sandbox.

I proved it's possible. With something as dumb as a TEST-FILE. I would consider this an EXTREME security flaw.
 
  • Like
Reactions: AtlBo
D

Deleted member 178

I am not sure that I can trust a program that hinders AV solutions to see malware running inside it. (See OP)
If you are skilled with sandboxie, you dont need an AV. AVs are obsolete in term of security, if they didn't have their HIPS or BB they would be useless.

Then consider this: Malware on a page interchanges google-update.exe (Which I would have to add to executable programs list in order to use Chrome inside Sandboxie) with it self. Now it can run inside the Sandbox. Also no antivirus detects it because Sandbox.
Or what about Malware-pages running a false chrome.exe? It could run no problem, (Since no hashing of allowed processes or anything similar) yet no anti-virus solution is able to see it. Then it simply writes code to RAM and executes it to escape the sandbox.
With sandboxie, you can block processes/programs to run in the sandbox in the first place; when my Chrome is sandboxed, it is the only program authorized to run in its sandbox; all other processes are blocked.
Please learn the software before bashing it.

I proved it's possible. With something as dumb as a TEST-FILE. I would consider this an EXTREME security flaw.
I can't take you as a serious tester when you don't know how the software works. And seriously? test-files...?
 

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
If you are skilled with sandboxie, you dont need an AV. AVs are obsolete in term of security, if they didn't have their HIPS or BB they would be useless.

With sandboxie, you can block processes/programs to run in the sandbox in the first place; when my Chrome is sandboxed, it is the only program authorized to run in its sandbox; all other processes are blocked.
Please learn the software before bashing it.

I can't take you as a serious tester when you don't know how the software works. And seriously? test-files...?
Please read again what I wrote: Any program with the name "chrome.exe" can run perfectly fine in a sandbox configured to only allow "chrome.exe". And it is irrelevant if it is a test-file or not. It could run perfectly fine inside it, but would get blocked if run outside.
You can't even add hashing in the allowed executable tab, let alone specifiy a path.

Try it yourself: Upload a executable on your website or somewhere where you can download it unpacked. It's name should be "chrome.exe" and it should be a safe-to-run malware. Then download it with Chrome inside the sandbox and click the file on the bottom of the browser window to start it.
It can run perfectly fine.
 
  • Like
Reactions: AtlBo
D

Deleted member 178

let me tell you once for all.

1- chrome is sandboxed.
2- i download your weaponized fake chrome.exe
3- the download folder is also sandboxed in a different sandbox, preventing ALL processes/programs to run , access network , access any drive including C:

so what now?

I guess you use sandboxie free; so no much clues about how it really works and how to make it a fortress.

Not saying i have some friends who loves sandboxie and tested it against tons of real 0-days malware, none were able to bypass sandboxie...i wish they could, they will get money from Invincea.
 
Last edited by a moderator:

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
Yes I use free edition. So I can only create one Sandbox. And that means the downloaded chrome.exe will run in the same sandbox.
I forgot to mention that. But I didn't knew it's behavior would be so different.
 
  • Like
Reactions: AtlBo
D

Deleted member 178

Yes I use free edition. So I can only create one Sandbox. And that means the downloaded chrome.exe will run in the same sandbox.
I forgot to mention that. But I didn't knew it's behavior would be so different.
In paid version, you can force apps and folders to be automatically isolated in separate sandboxes, then you apply the desired policies to those. It is a huge difference.
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
NulFunction You can also try Cameyo(it works like Sandboxie but in a different way)or VMware ThinApp. both are great. I prefer Cameyo because it is free.
 
  • Like
Reactions: AtlBo

NulFunction

Level 2
Thread author
Verified
Jun 2, 2018
96
In paid version, you can force apps and folders to be automatically isolated in separate sandboxes, then you apply the desired policies to those. It is a huge difference.
And how does that work with Chrome? Chrome usually starts about 10 instances of chrome.exe. Does it mean you'll have this many sandboxes running? How is yet a another chrome.exe started by chrome a different case to all the other non-malicious chrome.exes?

Remember I said to launch the downloaded, malicious chrome.exe from chrome itself using the button that appears on the bottom. This way it gets called by chrome! Just like any other chrome.exe would do.
(If I would start the malicious chrome.exe by myself in its own sandbox, it would get detected by AV, but not if started from inside chrome browser.)
Did you test it?
Download that test-file i was talking about as "chrome.exe" and start it.

EDIT: Skip testing. I saw that even a downloaded "chrome.exe" can't be executed inside a "chrome.exe only" sandbox. Weird. How does it know that? It should show the path to the allowed application if it uses the path, imo.
Interestingly it does that even if I save it in the same folder as chrome. So it is using hashes?


I'm sorry I'm pestering you.
 
Last edited:
  • Like
Reactions: AtlBo
D

Deleted member 178

@NulFunction sandboxie has a lot of inner mechanisms and options. Just know that its purpose is to prevent isolated processes to modify what is outside, it does not matter if the malware run in it or not. Once the sandbox is closed, all changes and files in it are deleted.
 
Last edited by a moderator:
  • Like
Reactions: harlan4096
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top