Possible Sandboxie breach

So, you want the PoC as an exe... Tzuk already has it. Maybe you, as a paid user () could kindly ask for it, so that you can be sure all he said is accurate, but then again, how can you be sure that the "PoC as an exe" wasn't recoded not to reflect the actual events? No way to be sure, unless one compiles the source code. I'd do it, if I could. Until then, we have to wait for a closure on this.

I'm the kind of person that never takes sides. I'm a paid user, who unfortunately cannot verify this on his own (I cannot recompile the code and run it a spare machine)... I paid for a product. Someone provided the code that he states bypasses Sandboxie (version 4 as well, because version 3 is bypassed).

Should I blindly take the word of Sandboxie's author? He's trying to sell his fish. He ended up admitting that version 3 is vulnerable, but this version is about to see the end of the light, so as user I could also see this whole story as a way for he to try to sell his new fish (by claiming it won't work on version 4).

If no one's willing to recompile the code and test it, maybe (who claims there's no bypass) there could be a way to have a live session on Tzuk's side showing him recompiling, etc., and then test it? (What better alternative? )

 

The vast majority of us don't have the skills to compile the POC. Neither do we have the ability to test every aspect of the software we use. There has to be some trust involved.

Trust is something that is earned. It rarely applies to people you don't know who have not proven reliability to you.

If I didn't trust a supplier, especially a sole-trader like Tzuk, I would not use their products. You may try them because they have built up a reputation for reliability and if they work for you, you develop trust over time.

Tzuk has earned my trust over the years because of his honesty and willingness to address issues with his product. I believe him when he says this does not effect version 4. Why? Because he's proved over the years he can be trusted.

The risks to his reputation and the trust his customers put in him is too great to risk with something as silly as this.

You also have to ask what happens is he has to prove to the nth degree every single claim someone makes against his product. No development and a hacked off developer unwilling to continue I would guess.

 

Hi Sully, Hungry Man was referring to me. I should also have quoted him the way you did at post 37.

 

If its not on my system or breaking out of sandbox on my system then The POC dont exist.IMO its like the invisible man.

 

Has Tzuk made a statement about the breaching/bypassing of Sandboxie through TrueType font parsing vulnerability?

http://threatpost.com/en_us/blogs/using-kernel-exploits-bypass-sandboxes-fun-and-profit-031813

 

That's pretty serious as that type of vulnerability affects more than just SandboxIE, and malware is already using it too.

 

I didn't because I rarely visit there and don't have an account, but now I do
http://www.sandboxie.com/phpbb/viewtopic.php?p=88252

 

hello. this exploit about true type font vulnerability itis not a new trick as it can bypass any security program via kernel mode
the dugu malware exploits the weak T2embed.dll
i dont know if the last sandboxie can stop this exlploit but there is a temporary workround here , open sandboxie ,Resource Access > File Access > Blocked Access and add c:\windows\system32\t2embed.dll
the sandboxie will block the true type font engine t2embed.dll

also posted here in the past:https://www.wilderssecurity.com/showthread.php?t=310195&page=4&highlight=sandboxie true type

 

Apparently Microsoft already released an update that fixes that vulnerability:

http://technet.microsoft.com/en-us/security/bulletin/ms12-078

 

@stvs
good tip

Yes, but later there was another one as well(which was also fixed) so there may be more in the future. With stvs's tip Sandboxie users can block access to t2embed.dll to prevent kernel exploits if they use vulnerabilities in fonts, but keep in mind that it won't protect against other kernel exploits. Not sure if there is any solution that can, though you could use software like Emet and ZVL Exploitshield to reduce chances of successfull exploiting.

 

ExploitShield will do literally nothing to prevent kernel exploits. Same with EMET.

 

okay, good to know

 

​

Thanks Hungry Man for the info. My apologies for sounding rude earlier. Glad that you are still willing to input and update.

 

Don't worry about it.

 

What about AppGuard?