lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Jan 2012 07:47:03 +1100 From: xD 0x41 <secn3t@...il.com> To: Juergen Schmidt <ju@...de> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Avast Antivirus Here is your post taken from the forum, it was not really taken to well....but, nomatter, im just stating the facts as i see them, and hope you understand this, but, i also giving you the chance to please try a real sandboxie, then load some bot.exe into it, and watch what it does... would maybe explain abit better what a sandbox is about. [..] Then I just wondered: What is that SafeZone and how does it work? I opened Process Explorer and noticed, that the processes run under the same user account o.O I tried some simple dll-injection into the browser and the first attempt worked. This really made me laugh. <--- this is standard for a sandbox, try SandBoxie,it is abit neater for a sandbox, and maybe what your after When I tried to save some screenshots I noticed that the file is created but empty afterwards, when I place it on the system drive. But saving to another drive was no problem at all. Could you please tell me what this feature is supposed to prevent? Re: Safezone vs DllInjection >>From what I read and already used, SAFEZONE BROWSER is a Google browser without toolbars that can access your info. Nothing else. Nothing goes from out into but you can go from in to out,so that's why they call it safezone. What's a dll injection and how do you do it? Yes, dude they wont bother todo anything because thats actually what you 'can' do in the safezone, is inject a dll, and then yes, it should showup virtually tho, not actually running on your main box right... coz, it is injection INTO the sandbox....when you use say, SandBoxie for example, you would load the app up and, simply right-click on any file and open within sandboxie, then, you can watch it drop and dump a million exes, thats exactly what it is supposed to be doing, is not letting this oout. now, if your saying you injected, into the AV dll itself, wich, i see nothing here of, then there would be a vuln, wich would eed attending, but, your injecting into this safezone, wich is, what nearly every AV nowdays comes with,simply a processkiller/sandbox, so in some cases, it can be of use to you in making sure your safe,... anyhow, seems like, normal functioning sandbox to me, you should have this powers to inject anything into it, and, then trace that ll you injected. Cheers dude..hope you have a good time playing with sandbox, dirtying them is definately fun :) drew On 19 January 2012 22:04, Juergen Schmidt <ju@...de> wrote: > On Tue, 17 Jan 2012, Floste wrote: > >> Hello, >> >> Avast Antivirus also comes with sandbox and a "SafeZone". But both can >> be circumvented using simple dll-injection and they seem to do nothing >> about it: http://forum.avast.com/index.php?topic=82291.0 >> >> Maybe this post here will encourage them to fix it. > > In my understanding a sandbox is not supposed to prevent you from getting > in from the outside but from escaping from the inside. So if a sandboxed > process injects a DLL in say a running IE process outside -- then we are > talking about vulns > > > bye, ju > > > > -- > Juergen Schmidt Chefredakteur heise Security www.heisec.de > Heise Zeitschriften Verlag, Karl-Wiechert-Allee 10 , D-30625 Hannover > Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@...sec.de > GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists