Date: Fri, 20 Jan 2012 07:47:03 +1100
From: xD 0x41 <secn3t@...il.com>
To: Juergen Schmidt <ju@...de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Avast Antivirus

Here is your post taken from the forum, it was not really taken to
well....but, nomatter, im just stating the facts as i see them, and
hope you  understand this, but, i also giving you the chance to please
try a real sandboxie, then load some bot.exe into it, and watch what
it does... would maybe explain abit better what a sandbox is about.

[..]
Then I just wondered: What is that SafeZone and how does it work?
I opened Process Explorer and noticed, that the processes run under
the same user account o.O
I tried some simple dll-injection into the browser and the first
attempt worked. This really made me laugh.  <--- this is standard for
a sandbox, try SandBoxie,it is abit neater for a sandbox, and maybe
what your after
When I tried to save some screenshots I noticed that the file is
created but empty afterwards, when I place it on the system drive. But
saving to another drive was no problem at all.
Could you please tell me what this feature is supposed to prevent?

Re: Safezone vs DllInjection
>>From what I read and already used, SAFEZONE BROWSER is a Google
browser without toolbars that can access your info. Nothing else.
Nothing goes from out into but you can go from in to out,so that's why
they call it safezone. What's a dll injection and how do you do it?


Yes, dude they wont bother todo anything because thats actually what
you 'can' do in the safezone, is inject a dll, and then yes, it should
showup virtually tho, not actually running on your main box right...
coz, it is injection INTO the sandbox....when you use say, SandBoxie
for example, you would load the app up and, simply right-click on any
file and open within sandboxie, then, you can watch it drop and dump a
million exes, thats exactly what it is supposed to be doing, is not
letting this oout.
now, if your saying you injected, into the AV dll itself, wich, i see
nothing here of, then there would be a vuln, wich would eed attending,
but, your injecting into this safezone, wich is, what nearly every AV
nowdays comes with,simply a processkiller/sandbox,  so in some cases,
it can be of use to you in making sure your safe,...
anyhow, seems like, normal functioning sandbox to me, you should have
this powers to inject anything into it, and, then trace that ll you
injected.
Cheers dude..hope you have a good time playing with sandbox, dirtying
them is definately fun :)
drew



On 19 January 2012 22:04, Juergen Schmidt <ju@...de> wrote:
> On Tue, 17 Jan 2012, Floste wrote:
>
>> Hello,
>>
>> Avast Antivirus also comes with sandbox and a "SafeZone". But both can
>> be circumvented using simple dll-injection and they seem to do nothing
>> about it: http://forum.avast.com/index.php?topic=82291.0
>>
>> Maybe this post here will encourage them to fix it.
>
> In my understanding a sandbox is not supposed to prevent you from getting
> in from the outside but from escaping from the inside. So if a sandboxed
> process injects a DLL in say a running IE process outside -- then we are
> talking about vulns
>
>
> bye, ju
>
>
>
> --
> Juergen Schmidt       Chefredakteur  heise Security     www.heisec.de
> Heise Zeitschriften Verlag, Karl-Wiechert-Allee 10 ,   D-30625 Hannover
> Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@...sec.de
> GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists