TOR Browser does not work why ?

[xame-arch]

SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034] SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034] SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034] err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 15 - firefox.exe [C0000034] SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 15 - firefox.exe [C0000034] SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 6 - firefox.exe [C0000034] err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox SBIE2203 Failed to communicate with the service Sandboxie: request C0000037 SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 14 - SandboxieRpcSs.exe [C0000080]

[isaak654]

@xame-arch What about your Windows Version, Sandboxie version, Tor Browser version?

In my case, all 64-bit versions of Tor Browser don't work.

This is the error I receive after pressing the connect button in the dialog mask (tested with Sandboxie-Plus 0.6.7 and "torbrowser-install-win64-10.0.11_en-US.exe" on a Windows 10 2004 x64): https://git.io/JtVGj

I can't navigate in the address bar. But outside of my empty sandbox, Tor browser 64-bit works fine.

I already know the workaround to use Tor Browser 32-bit (posted in #412), but not the technical reasons behind this incompatibility.

[xame-arch]

https://www.hybrid-analysis.com/sample/59e610eca00e3ce8bf1f584bdfbbce49ac0ace809d9bc09e4e6d214d972e1877/60194cb7c9be162e1832580b See link above in the ATT&CK™ MITRE ATT&CK™ Detection Techniques Perhaps because of the "Kernel Modules and Extensions" or the "Process Injection" perhaps it would be necessary to ask the developer of TOR to detect Sandboxie and in this configuration not to use "Kernel Modules and Extensions" or so that Sandboxie supports it that it is manufactured like the proof of concept in 2006 "Blue Pill" which has the privilege Ring 0 or that Sandboxie is Bootkit.

[Oridjinn1980]

I've also been trying to get TOR (10.0.11) to work in Sandboxie-Plus (0.6.7) on my windows 10 64bit desktop, but I seem to be facing the same issue as isaak654! I can run a normal firefox installation fine in all my sandboxes, but if I try to start TOR, at some point during it's startup, I get an error message that pops up (see attached).

[0x391F]

I've also been trying to get TOR (10.0.11) to work in Sandboxie-Plus (0.6.7) on my windows 10 64bit desktop, but I seem to be facing the same issue as isaak654! I can run a normal firefox installation fine in all my sandboxes, but if I try to start TOR, at some point during it's startup, I get an error message that pops up (see attached).

+1. The same problem, but my Sandboxie version is 0.7.1/5.48.5.

[DavidXanatos]

this is supposed to be open source, where can I find the sources

[0x391F]

Tor https://github.com/torproject/tor

Firefox https://ftp.mozilla.org/pub/firefox/releases/

[DavidXanatos]

Thats not what I need! the tor browser is a Firefox fork its not original its modified, i would like these the modifications, so i need the altered sources not the originals from mozilla.

[DavidXanatos]

Seams the sources are here: https://gitweb.torproject.org/tor-browser.git

but I don't find the versions they offer fro download: https://dist.torproject.org/torbrowser/

Also strangely a similar official Mozilla 64 bit version works just fine. When I prevent the hooking of NtOpenFile NtQueryAttributesFile and NtQueryFullAttributesFile the SbieDll.dll loads just fine, but than it crashes some ware else, apparently the ntdll hooks are somehow not properly functional, when I prevent the hooking of all ntdll functions it starts fine, it even loads websites ok, unfortunately it randomly crashes a minute or two later.

When I do the same with a original firefox it runs and does not crash.

Well enough time wasted, since Sbie works fine with original firefoxes and since the behavior observed does not seam to be a intentional mitigation, but rather a failure of the hooking mechanism during the image loading stage, the ball is imho on the to dev's side. Please complain with them to fix whatever they broke.

if you set MOZ_DISABLE_CONTENT_SANDBOX=1 as an environment variable that disables the Firefox sandbox and than you can start it.

[0x4E69676874466F78]

@DavidXanatos 10.0.12 based on Mozilla Firefox 78.8.0esr https://gitweb.torproject.org/tor-browser.git/tag/?h=tor-browser-78.8.0esr-10.0-1-build1 Perhaps the 64bit version has dll injection protection.

[isaak654]

There is a new open issue about it at their Gitlab repository: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40371

[xame-arch]

Tor 32 bit seems to work much better with Openfilepath and Openpipepath, OpenKeypath, OpenLpcPath, OpenWinClass. I haven't been able to use OpenClsid, so I'm not sure what it's for and how to make it work. I think I saw a program dllhost.exe running in the sandbox while before no I do not know if the Open represents a risk I noticed that it asks me more the file chains to recover. I also tested a 32 bit Tor installation and it works but only half in the chosen language. Also, at the time of installation it asks me to enlarge the sandbox for xul.dll to more than 10000 but if I do it afterwards it will do the same for a video on the VLC software but it doesn't work afterwards. On the other hand an installation of tor 64 bit will simply not start error 0xc00005 if I remember well It's a lot of data, I didn't do the logs, you said before that disabling the hooking works but then crashes, with the "Open" configured it doesn't crash? The difference between 32 bit and 64 bit seems to be another Process Injection "Allocates virtual memory in a remote process" and Query Registry "Queries sensitive IE security settings and Reads the windows installation date" Does Sandboxie support process injection?

Tor 32 bit https://www.hybrid-analysis.com/sample/47ff902239d5349cd1e8b07bb0a6024dbfb21a195e7349cb0a02f4e3867a1e1b/6069ebcec1966518537f5cb7 and https://otx.alienvault.com/indicator/file/47ff902239d5349cd1e8b07bb0a6024dbfb21a195e7349cb0a02f4e3867a1e1b

Tor 64 bit https://www.hybrid-analysis.com/sample/b5a7863443ce1d82fcab0533b12947e91400d1117b677b56a887b867feb732ae/60701033d868c06a7d2735e8 and https://otx.alienvault.com/indicator/file/1e231319b40f0d6efbb111e1236fee0d27c2c4a8bd77041df1a4832d827e89ea

[isaak654]

Does Sandboxie support process injection?

@xame-arch You might want to look at the documentation and/or using the repository search for further info: https://github.com/sandboxie-plus/Sandboxie/blob/c2f38e084023f001746862641c8fbeea85e3f2d7/Sandboxie/install/Templates.ini#L2530-L2532

[mutsuura]

I concur - latest 32-bit TOR browser works w/ Sandboxie, latest 64-bit TOR browser does not work.

[isaak654]

According to my tests, the first 64-bit version to introduce the conflict with Sandboxie is _torbrowser-install-win64-8.0a9en-US.exe, while torbrowser-install-win64-8.0a8_en-US.exe is the latest to work with Sandboxie.

I shared this finding on the open issue at their GitLab repository.

Just in case, here there is a list of related commits: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commits/tor-browser-60.0.1esr-8.0-1 (you would need to scroll it from top to bottom)

Release date of Tor Browser 8.0a9 x64 (the first release that broke Sandboxie support): 2018-06-25 12:59 Release date of Tor Browser 8.0a8 x64 (the last release with working Sandboxie support): 2018-06-09 19:07

[isaak654]

@DavidXanatos I asked for help on the #tor IRC channel, so I have new interesting findings for this issue.

In short, this Sandboxie crash also applies to other Firefox x64 builds that use the same non-official toolchain, so it can't be considered a specific Tor Browser issue anymore:

#tor channel support about the Sandboxie crash report

> tor: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40371 - Sandboxie software compatibility bug + a crash report isaak654: Sandboxie developer already looked at it, and he states it's something you need to fix about content sandboxing in x64 builds GeKo: yeah GeKo: providing a patch would be much appreciated GeKo: investigating that is likely to be non-trivial isaak654: indeed, the last working Tor Browser release with Sandboxie is win64-8.0a8 (released in 2018), so I think it's time starting to find an interested developer GeKo: i suspect the problem is that we use a different compiler for windows binaries than mozilla by default GeKo: however, you can verify that as mozilla is providing firefox build with the same toolchain GeKo: let me find a Firefox x64 link for you to try GeKo: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/RKlEsB7ETXSlpOh4SWYc7Q/runs/0/artifacts/public/build/target.zip GeKo: you could try the bundle you get in target.zip GeKo: i bet you have the same issue with sandboxie GeKo: even though it's plain firefox code isaak654: I can reproduce the Sandboxie issue with that Firefox Nightly x64 build too, and now? GeKo: the next steps for you or anyone debugging this could be checking whether that happens with the debug version as well and/or whether newer/older compiler versions fix the problem GeKo: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WsXatyNiRUWKG6TSUDbOaw/runs/0/artifacts/public/build/target.zip has the binaries for the debug build isaak654: the Firefox debug build you passed me crashes the same, no change GeKo: great GeKo: now the excitment starts GeKo: the debug build has debug symbols. someone should attach a debugger to it and then figure out what's going on GeKo: OR someone could start bisecting the compiler/toolchain figuring out what is going on GeKo: pick your poison :) GeKo: fwiw, the ticket you wanted to link to is likely https://bugzilla.mozilla.org/show_bug.cgi?id=1461421 GeKo: we know, though, that this is *not* a tor browser issue GeKo: it happens with firefox, too, provided you use the same non-official toolchain GeKo: feel free to update the tor-browser ticket too with what you learned :)

[DavidXanatos]

I have investigated the issue further and found the problem, it will be fixed in one of the upcoming builds