it looks like a huge sandbox hole

Hi,

I found this video on vimeo Comodo CIS 6 test - sandbox fail on Vimeo
Shows short test of Comodo CIS 6.0.264710.2708 in action.
It looks like a huge sandbox hole and I hope this is disgusting joke.


UPDATE INFO March 09, 2013, 10:41:47 AM:
After my tests I confirm this critical security vulnerability in CIS sandbox (in both cases: contextual menu “Run in COMODO Sandbox” and in Virtual Kiosk)

Best wishes,
bazolo

access to the real system… for me it looks like a hole too … :frowning:

As there is not yet enough information to create a bug report for this I will move it to the News / Announcements / Feedback - CIS section of the forum.

However, please note that if anyone is able to re-create this on their own system I do believe that it’s certainly worthy of a bug report.

Thank you.

Can’t view it since it’s a private video?! ???

What level of restriction did they use in BB and what are the general settings in CIS? What system did they use? Were HIPS disabled? Did the system got infected?

  1. It is not important.

The user right clicked on the patcher (or cracker) and chose “run in COMODO Sandbox”.

Then the patcher successfully modified the .exe file outside the sandbox.

  1. Win7 64bit

  2. It is not important.

  3. yes

that is what i saw too, and that is a hole.

Thanks. But surly HIPS would react to this exe modification. Also restriction level does matter unless you can prove it otherwise. And I’m not even talking about other settings they are important since it’s 64-Bit. Can someone send this info to Egemen? So he can confirm or dismiss this bypass.

Whether the HIPS is on or not is totally irrelevant.the sandbox should be isolated from the rest of the system and it clearly isnt the case.
Maybe this is a one off case but it should be looked into.

I get this point. But ‘partially limited’ might leak while with ‘untrusted’ it might react differently. We don’t know. And since it’s 64-Bit the protection is a bit more complicated. Can someone also contact this person and get the sample?

yes, but in this case he right clicked the file and sandboxed it, and so far i know and the mods told us, is that the manually sandbox and so it is the fully virtualized sandbox and not the partially limited. So normally this file could not have access to the real system… or is there any change now and it is not the fully virtualized sandbox anymore?

:wink: with your words: “are you uneducated right now?” :slight_smile: … it was an access to real system and that should not happen with a fully virtualized sandbox!

Btw, this video is private now, have someone download it before or still access to it with a password?

My mistake I was thinking about something else. That’s why ‘fully virtual’ is experimental. And that’s not my words.

Using the BB set to Fully Virtualized is experimental. However, right-clicking on a file and telling it to run in the sandbox is not. Therefore, if someone can replicate this by sandboxing a patching program and being able to patch an application sitting on the real computer this would definitely be worthy of reporting.

Any one got samples ? or at least a copy of the video ?
Edit is this accessible if I create an account ?

An auto sandbox with “untrusted” might react like a block to many things.
At this point you are better with just a hips then.
At this point auto sandboxing is not userfriendly. Having something put into an environment where it can not run, and then you have to manage “extra” ways.

Thats why i would allways recommend to use hips, and to use real sandboxes to sandbox things.

You can not introduce something for userfriendlyness (auto allow), and if it fails security, you can not say: “But with untrusted” it could not infect.

Better show how to answer the least amount of questions. Thats safe. Thats userfriendly.
And introduce a real on demand fully virtual sandbox.

You have to wait until someone makes a video about a problem.
And then you have to patch like an old antivirus.
But its just one “published” problem.
Thats why i dont like auto sandbox.
A bit userfriendlyness, a lot questions.

I contacted the author. He said he has limited access to his vimeo account for unknown reasons. He promised to send me the video and additional information.

I’m very happy to hear that. Hopefully then we can get enough information to understand the leak so that Comodo devs can fix it. Note that this would probably also mean we would need to know the exact software he was using.

Do you think he’ll be able to provide us with this software?

Here is something interesting… I you download let’s say cispremiuminstaller.exe from a no sandboxed browser.
it will go to your downloads folder under your profile. c:\users\crusader\downloads lets say
then try and download the same file in sandboxed chrome…it will download the file and name it cispremiuminstaller(1).exe and it will appear to be saved in c:\users\crusader\downloads
from the sandboxed browser but it is not. it is actually saved in C:\VTRoot\HarddiskVolume2\Users\Crusaders\Downloads
and it’s filename is cispremiuminstaller(1).exe but there is no other file in the directory call cispremiuminstaller.exe. just the cispremiuminstaller(1).exe is in there

Probably sandboxed applications don’t know that and they do indeed see cispremiuminstaller.exe and hence appends the “(1)” because it thinks it is saving it to the folder where the other installer is, however since it is sandboxed it is saved to VTRoot (though the program doesn’t know this), expected behavior I’d say.

Thanks :-TU

You get one question with the Behavior Blocker/ auto sandbox. You just say do not restrict again and rerun the file. With HIPS you might get 3 or 4 questions for the same application that go into details that may be very confusing for the average user. Therefore, it is HIPS that is beyond a doubt less user-friendly.