search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.51k stars 1.51k forks source link

Loop through all pid and use OpenProcess could Gets process handles for other sandboxes #2587

Closed LYingSiMon closed 1 year ago

LYingSiMon commented 1 year ago

Describe what you noticed and did

Test code:

void Enum_OpenProcess()
{
    INT ProcCount = 0;
    HANDLE hProcess = NULL;
    WCHAR FilePath[MAX_PATH] = { 0 };

    for (UINT i = 0; i < 100000; i += 4) 
    {
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, i);
        if (NULL != hProcess)
        {
            memset(FilePath, 0, MAX_PATH);
            GetModuleFileNameExW(hProcess, 0, FilePath, MAX_PATH);
            if (wcsstr(FilePath, SELF_PROCNAME_W) != 0)
            {
                ProcCount++;
            }
        }
    }

    if (ProcCount > 1)
    {
        spdlog::error("[{}] ProcCount:{} ", __FUNCTION__, ProcCount);
    }
    else
    {
        spdlog::info("[{}] ProcCount:{} ", __FUNCTION__, ProcCount);
    }
}

screenshot: image

Normally, I don't think processes in box2 should be able to get process handles in box1 or out of the sandbox, but now they can

How often did you encounter it so far?

Every time

Affected program

Each program

Download link

null

Where is the program located?

Not relevant to my request.

Expected behavior

ProcCount is always 1

What is your Windows edition and version?

1909

In which Windows account you have this problem?

Not relevant to my request.

Please mention any installed security software

null

What version of Sandboxie are you running?

1.6.3

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

no

In which sandbox type you have this problem?

all types box

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

no

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#02f6f6,ttl
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=9
AutoRecover=y
UseSecurityMode=n
UsePrivacyMode=n
DavidXanatos commented 1 year ago

Hello, You can inspect the permissions granted using a tool like TaskExplorer, SystemInformer, or ProcessExplorer grafik As you can then see, the access to processes in other boxes or outside the sandbox are reduced down from PROCESS_ALL_ACCESS to only a sub set of read only permissions, see the source here: https://github.com/sandboxie-plus/Sandboxie/blob/1fc9d1c716c1ae0faaa8a0285db1b1f0ff8874d1/Sandboxie/core/dll/secure.c#L588

The code was added before my time so I don't know the exact reason for this behavior but likely this was done to facilitate better compatibility in scenarios where more rights are requested then needed and the call would succeed normally. As any process with bad intentions could after failing to get PROCESS_ALL_ACCESS just retry with SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION anyways, and get the same result, this does not pose a security risk. But its not expected window behavior, so perhaps a compatibility option should be added here to enable/disable this behavior.

LYingSiMon commented 1 year ago

I see. Thank you for your answer