Microsoft Security Essentials
in [Spyware]
|
From: Dustin Cook on 2 Jan 2010 16:32 ASCII <me2(a)privacy.net> wrote in news:4b3f0974.437593(a)EDCBIC: > Dustin Cook wrote: >>ASCII <me2(a)privacy.net> wrote in news:4b3e6e84.1479531(a)EDCBIC: >> >>> Dustin Cook wrote: >>>> >>>>You may want to be running one of the new betas of sandboxie; >>> >>> v3.43.09b >>> is that recent enough to address your fugitive app? >> >>Nope. I got that beta as soon as tzuk released it. The file, IE.exe is >>still able to escape the sandbox and remove itself from the real hard >>drive. > > Lemme guess, it uses the quick recovery feature to escalate > privileges? Heh, no. And the new v.10 beta clears it up. The sandboxie forum has all the glory details if you wish to view them. >>> Other than a form of self-stealthing, >>> what else can it do when it escapes, >>> muck around with the system? >> >>No stealthing involved, simply it's demonstrating it's ability to make >>changes outside of the sandbox environment; ie, deleting itself from a >>forced folder. > > Deleting itself, > regardless of whatever devilment it did, > is a form of stealthing, no? Hmm, that would be a new twist on me then. I don't consider files which make an effort to self destruct a manner of stealth, no. >>> IOW: How much payload cargo can it take with? >> >>As I believe this is just a proof of concept version, it doesn't >>contain any payload; but it very well could use the same trickery to >>delete other files present on the hard disk, besides itself. > > Would have to manipulate them into some forced folder first, > and that's after assigning such a folder? No. You run the sample, "sandbox" it; and it deletes itself from the real hard disk; and if your using a stock version of sandboxie without the wonderful .dll addons; you won't even get to see the present it leaves behind. It manipulated sandboxie, but that as I said, has been corrected with beta 10 > Curious could it drop one of the wipe appz like Eraserl or SDelete > into the command line, or is it limited to RMDIR, which could be > recovered? ..additionally, I'd guess this action still occurs within > the VM, or can the actual program application be affected, especially > it the path isn't the known common C:\Program Files\Sandboxie but had > been altered? RMDIR? RMDIR removes a folder; not a file. And no, it doesn't use that command; and no, you can't quick recover anything. The action occurs on the real hard disk, while your running it under the VM (sandboxie). Ie: you right click the file, run it sandboxed; poof; the real file just disappeared. While I smoke another cig, why don't you get yourself an education on things beyond, simple dos commands. Here's the thread which discusses in nice geeky detail what went down, how and why... http://www.sandboxie.com/phpbb/viewtopic.php?t=6982 Kudos to myself for reporting it in the first place. <G> -- .... Those are my thoughts anyways...
From: Dustin Cook on 2 Jan 2010 16:32 ASCII <me2(a)privacy.net> wrote in news:4b3f8723.2822843(a)EDCBIC: > Dustin Cook wrote: >>The file, IE.exe is >>still able to escape the sandbox and remove itself from the real hard >>drive. > > I went to the forum and browsed for any reference to IE.exe, > but couldn't find anything, plus noticed that v3.43.10 has just replaced > v3.43.09 in the past day, maybe addresses your POC? > http://www.sandboxie.com/phpbb/viewtopic.php?t=6982 And fyi, it isn't my POC; I didn't write it. It was delivered to me for analysis as part of my job. -- .... Those are my thoughts anyways...
From: Cronos on 2 Jan 2010 21:10 PajaP wrote: > I agree with you. > See I just agreed with another troll. Though this time he is also a > fuckwit. > I am putting you in the killfile too as you are the one who started all > the hostilities in the thread. Proving you are a fuckwit troll!! Not a "fuckwit" troll, just a very good troll. I consider trolling an art form and I am one of the best at it.
From: Dustin Cook on 2 Jan 2010 21:35 ASCII <me2(a)privacy.net> wrote in news:4b3ff385.2691671(a)EDCBIC: > Dustin Cook wrote: >> >>While I smoke another cig, > > Enjoy it, although I do give you the biz from time to time, > it's a [your body - your business] affair to a liberal like myself. I consider myself to be a liberal as well. Despite my past, which I think? is the only thing you have against me; we probably would get along. > Every day I learn more, > some days it seems I learn almost faster than I forget. If you go a single day and don't learn something, your not breathing. *grin*. > I tried to follow as much as I could within my limited cyber > education. Shrug. Well, to sum it up; the file was able to rename itself and execute the newly named copy; exploiting a now fixed vulnerability withen sandboxie. This isn't your run of the mill malware sample, so I don't want anyone to think the world was potentially coming to an end or anything. :) > Glad it's been addressed in the v3.43.10 as that's the one I have > onboard. However, > it doesn't sound like something trivial to accomplish > even with the earlier versions. Due to the security vulnerability in previous versions of Sandboxie, and having been able to now write myself a test POC to see; I would have to disagree. The manner in which sandboxie was being exploited was something which I believe was overlooked; and I am glad it's been addressed in beta10. Due to the relatively easy work required to write the code to duplicate IE.exe's ability, I would seriously recommend all sandboxie users upgrade to this version. I have only seen 3 samples in a year actually do what this one did, and if I hadn't preserved this one; I still wouldn't know about that issue, and neither would tzuk. Which I feel is bad. :( It's a neat trick, to sum it up; and I wouldn't have thought about trying that myself. LoL. -- .... Those are my thoughts anyways...
From: Dustin Cook on 2 Jan 2010 21:36
ASCII <me2(a)privacy.net> wrote in news:4b40f64d.3403703(a)EDCBIC: > Dustin Cook wrote: >> >>http://www.sandboxie.com/phpbb/viewtopic.php?t=6982 >> >>And fyi, it isn't my POC; I didn't write it. It was delivered to me for >>analysis as part of my job. > > But being the altruistic sort you've become these days, > you sounded a clarion alarm for the benefit of the masses. I felt it was something I should be doing. I'm a happy sandboxie user myself, that was a serious problem I discovered, and I didn't feel safer using sandboxie until it was fixed. IE: if this sample can do it, and now that I'm able to write one that can as well; anybody! could do this, and do alot of potential harm. So yes, for the benefit of everyone, this had to come to light. Sandboxie isn't just used to protect end users; Alot of people in my line of work appreciate it's ability to allow study of malware and preserve things; without the sometimes hassle of a full on VM or real test box. -- .... Those are my thoughts anyways... |