SBIE and Pimp My uTorrent

Discussion in 'Sandboxie (Invincea)' started by shmu26, Jun 18, 2016.

  1. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    There is an ethical java trick called Pimp My uTorrent, it is offered on github
    Pimp my uTorrent : An angular.js application that removes the ads in uTorrent with a single click
    its purpose is to clean up the uTorrent GUI.
    I personally don't use uTorrent, but I wanted to test out Sandboxie's ability to protect the file system from exploits coming in through the browser.
    I opened chrome in sandbox, but opened uTorrent regular.
    Then I went to the Pimp My uTorrent site, and I was surprised and confused to see that it changed the settings in my uTorrent.
    What's up with this?
     
    harlan4096 likes this.
  2. Sandboxie Help

    Sandboxie Help From Sandboxie
    Developer

    Feb 26, 2016
    23
    55
    DC
    Changed settings in the browser?
    Did you install /
    Run the script? In so, where?
    If it's SBIE related, it's best to post this sort of stuff in the SBIE forum so Devs can question it.
     
  3. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    I changed no settings in browser, and I don't know what it means to install /
    All I did is click on the button on the web page I mentioned, and then I clicked OK on the windows message box that popped up.
    I think my question is more about what a sandbox can and cannot do, rather than a specific SBIE issue.
     
  4. DardiM

    DardiM Level 26
    Trusted AV Tester

    May 14, 2016
    1,567
    15,194
    France
    Windows 10
    Kaspersky
    #4 DardiM, Jun 18, 2016
    Last edited: Jun 19, 2016
    When you click on "Pimp My uTorrent" , there is a connection established with your uTorrent (after asking for redirection to a http connection if you used https) and communications.
    If you opened uTorrent "regular", setting can be changed this way by uTorrent itself but initiated (see explanation below ) by the click on "Pimp My uTorrent" , even if chrome is open in a sandbox, because it's the uTorrent Client that makes the modifications.
    Notice : uTorrent Client has to be running when you click on "Pimp My uTorrent", or else no communications => no modifications :p

    Explanation :
    => To connect to your uTorrent Client "Pimp my uTorrent" uses duckietorrent.torrent.js
    This is a small part of its description:
    *........
    * The Utorrent/Bittorrent clients listen on one of 20 ports on localhost to allow other apps to connect to them.
    * Discovery is done by performing a /version request to these ports until the first hit
    * After that, an authentication token is requested on the client (you need to save this somewhere, the demo does so in localStorage)
    * With the token you can get a session ID, and with the session ID you can start polling for data. Don't poll and the session will expire and you will need to fetch a new session ID with the token.*
    * Polling for data results in a tree structure of RPC functions and object data
    * The RPC structures are matched against regexes and the parameters are type-checked.
    * Passing the wrong data into a callback will crash uTorrent/BitTorrent violently (Which could be an attack angle for security researchers)
    *......

    "RPC is a kind of request–response protocol. An RPC is initiated by the client, which sends a request message to a known remote / local server to execute a specified procedure with supplied parameters."
    In your case, the client is "Pimp my uTorrent", the server is your "uTorrent" (to simplify).

    => duckietorrent.torrent.js can do it with your uTorrent, and modifications are made by your uTorrent Client itself, because it's one of its procedure that is called.

    Parameters used , found in controllers.js, which correspond to the values that your uTorrent will change :

    var pimpValues = {
    'gui.pro_installed': true,
    'offers.left_rail_offer_enabled': false,
    'offers.sponsored_torrent_offer_enabled': false,
    'show_bundles_tab': false,
    'offers.featured_content_badge_enabled': false,
    'gui.show_plus_upsell_nodes': false,
    'gui.show_gate_notify': false,
    'gui.show_plus_upsell': false,
    'gui.show_plus_av_upsell': false,
    'offers.content_offer_autoexec': false,
    'offers.featured_content_notifications_enabled': false,
    'offers.featured_content_rss_enabled': false
    };


    I have not investigated more, it's enough to answer you question, I think :)
    (02h54 am in my Country, time to go to sleep)

    EDITED to be more understandable
     
    Andytay70 and harlan4096 like this.
  5. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    #5 shmu26, Jun 18, 2016
    Last edited: Jun 18, 2016
    thanks for detailed answer.
    please pardon my uneducated question: if this java script can change my file system, even if browser is sandboxed, what is to stop other exploits from changing my file system?
    And if exploits can change file system, why run browser in sandbox?

    EDIT: it could be argued that sandboxing the browser protects against downloads. But that can be accomplished by an anti-exe.
     
    DardiM likes this.
  6. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    By default, Sandboxie doesn't stop exploits or malwares ; it just isolate them. To allow process/network blocking, you have to customized it. It is why Sandboxie should never be let in default setting.
     
    DardiM likes this.
  7. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    I have it set so that only chrome processes have permission to run.
     
    DardiM and Umbra like this.
  8. DardiM

    DardiM Level 26
    Trusted AV Tester

    May 14, 2016
    1,567
    15,194
    France
    Windows 10
    Kaspersky
    #8 DardiM, Jun 19, 2016
    Last edited: Jun 19, 2016
    (1) No, it's the uTorrent client which is made/programmed to accept localhost/remote connection from another process.
    So, only what the programmer of uTorrent has allowed can be change in uTorrent, and no system files (or only if you gave all access to you uTorrent :eek:).

    (2) And if exploits can change file system, why run browser in sandbox?
    (3)
    This way, chrome has permission to establish a connection (localhost/port) with your uTorrent Client (which must be running, otherwise nothing happen), using duckietorrent.torrent.js
    (4) It isn't the JavaScript used by "Pimp My uTorrent" that directly changes your uTorrent settings. It only connect to your uTorrent Client and call a uTorrent Procedure with valid parameters (see my first post to see parameters used). This way it is your uTorrent itself that changes some settings (to removes ads) - and none of your files that can't be accessed by normal use of uTorrent can be change (unless you gave it all rights :rolleyes:).

    EDITED to be more understandable
     
    harlan4096 and shmu26 like this.
  9. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    hey, thanks a lot. that clears up a lot of things.
     
    DardiM likes this.
  10. DardiM

    DardiM Level 26
    Trusted AV Tester

    May 14, 2016
    1,567
    15,194
    France
    Windows 10
    Kaspersky
    I have edited my previous posts, to be more understandable
    (I need to improve my English :()
     
  11. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    je comprends le tout
     
    DardiM likes this.
  12. Andytay70

    Andytay70 Level 13

    Jul 6, 2015
    645
    3,286
    Electricial engineer
    UK
    Windows 10
    Avast
    your english is fine my friend!
     
    DardiM likes this.
Loading...
Similar Threads Forum Date
SBIE against cryptolocker Sandboxie (Invincea) Apr 5, 2016
Defensewall and sbie Other Security for Windows Mar 26, 2013
Expired SBIE 1 year license Giveaways Archive Jan 24, 2012