Closed xame-arch closed 2 years ago
@xame-arch What about your Windows Version, Sandboxie version, Tor Browser version?
In my case, all 64-bit versions of Tor Browser don't work.
This is the error I receive after pressing the connect button in the dialog mask (tested with Sandboxie-Plus 0.6.7 and "torbrowser-install-win64-10.0.11_en-US.exe" on a Windows 10 2004 x64): https://git.io/JtVGj
I can't navigate in the address bar. But outside of my empty sandbox, Tor browser 64-bit works fine.
I already know the workaround to use Tor Browser 32-bit (posted in #412), but not the technical reasons behind this incompatibility.
https://www.hybrid-analysis.com/sample/59e610eca00e3ce8bf1f584bdfbbce49ac0ace809d9bc09e4e6d214d972e1877/60194cb7c9be162e1832580b See link above in the ATT&CK™ MITRE ATT&CK™ Detection Techniques Perhaps because of the "Kernel Modules and Extensions" or the "Process Injection" perhaps it would be necessary to ask the developer of TOR to detect Sandboxie and in this configuration not to use "Kernel Modules and Extensions" or so that Sandboxie supports it that it is manufactured like the proof of concept in 2006 "Blue Pill" which has the privilege Ring 0 or that Sandboxie is Bootkit.
I've also been trying to get TOR (10.0.11) to work in Sandboxie-Plus (0.6.7) on my windows 10 64bit desktop, but I seem to be facing the same issue as isaak654! I can run a normal firefox installation fine in all my sandboxes, but if I try to start TOR, at some point during it's startup, I get an error message that pops up (see attached).
I've also been trying to get TOR (10.0.11) to work in Sandboxie-Plus (0.6.7) on my windows 10 64bit desktop, but I seem to be facing the same issue as isaak654! I can run a normal firefox installation fine in all my sandboxes, but if I try to start TOR, at some point during it's startup, I get an error message that pops up (see attached).
+1. The same problem, but my Sandboxie version is 0.7.1/5.48.5.
this is supposed to be open source, where can I find the sources
Thats not what I need! the tor browser is a Firefox fork its not original its modified, i would like these the modifications, so i need the altered sources not the originals from mozilla.
Seams the sources are here: https://gitweb.torproject.org/tor-browser.git
but I don't find the versions they offer fro download: https://dist.torproject.org/torbrowser/
Also strangely a similar official Mozilla 64 bit version works just fine. When I prevent the hooking of NtOpenFile NtQueryAttributesFile and NtQueryFullAttributesFile the SbieDll.dll loads just fine, but than it crashes some ware else, apparently the ntdll hooks are somehow not properly functional, when I prevent the hooking of all ntdll functions it starts fine, it even loads websites ok, unfortunately it randomly crashes a minute or two later.
When I do the same with a original firefox it runs and does not crash.
Well enough time wasted, since Sbie works fine with original firefoxes and since the behavior observed does not seam to be a intentional mitigation, but rather a failure of the hooking mechanism during the image loading stage, the ball is imho on the to dev's side. Please complain with them to fix whatever they broke.
if you set MOZ_DISABLE_CONTENT_SANDBOX=1
as an environment variable that disables the Firefox sandbox and than you can start it.
@DavidXanatos 10.0.12 based on Mozilla Firefox 78.8.0esr https://gitweb.torproject.org/tor-browser.git/tag/?h=tor-browser-78.8.0esr-10.0-1-build1 Perhaps the 64bit version has dll injection protection.
There is a new open issue about it at their Gitlab repository: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40371
Tor 32 bit seems to work much better with Openfilepath and Openpipepath, OpenKeypath, OpenLpcPath, OpenWinClass. I haven't been able to use OpenClsid, so I'm not sure what it's for and how to make it work. I think I saw a program dllhost.exe running in the sandbox while before no I do not know if the Open represents a risk I noticed that it asks me more the file chains to recover. I also tested a 32 bit Tor installation and it works but only half in the chosen language. Also, at the time of installation it asks me to enlarge the sandbox for xul.dll to more than 10000 but if I do it afterwards it will do the same for a video on the VLC software but it doesn't work afterwards. On the other hand an installation of tor 64 bit will simply not start error 0xc00005 if I remember well It's a lot of data, I didn't do the logs, you said before that disabling the hooking works but then crashes, with the "Open" configured it doesn't crash? The difference between 32 bit and 64 bit seems to be another Process Injection "Allocates virtual memory in a remote process" and Query Registry "Queries sensitive IE security settings and Reads the windows installation date" Does Sandboxie support process injection?
Tor 32 bit https://www.hybrid-analysis.com/sample/47ff902239d5349cd1e8b07bb0a6024dbfb21a195e7349cb0a02f4e3867a1e1b/6069ebcec1966518537f5cb7 and https://otx.alienvault.com/indicator/file/47ff902239d5349cd1e8b07bb0a6024dbfb21a195e7349cb0a02f4e3867a1e1b
Tor 64 bit https://www.hybrid-analysis.com/sample/b5a7863443ce1d82fcab0533b12947e91400d1117b677b56a887b867feb732ae/60701033d868c06a7d2735e8 and https://otx.alienvault.com/indicator/file/1e231319b40f0d6efbb111e1236fee0d27c2c4a8bd77041df1a4832d827e89ea
Does Sandboxie support process injection?
@xame-arch You might want to look at the documentation and/or using the repository search for further info: https://github.com/sandboxie-plus/Sandboxie/blob/c2f38e084023f001746862641c8fbeea85e3f2d7/Sandboxie/install/Templates.ini#L2530-L2532
I concur - latest 32-bit TOR browser works w/ Sandboxie, latest 64-bit TOR browser does not work.
According to my tests, the first 64-bit version to introduce the conflict with Sandboxie is _torbrowser-install-win64-8.0a9en-US.exe, while torbrowser-install-win64-8.0a8_en-US.exe is the latest to work with Sandboxie.
I shared this finding on the open issue at their GitLab repository.
Just in case, here there is a list of related commits: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commits/tor-browser-60.0.1esr-8.0-1 (you would need to scroll it from top to bottom)
Release date of Tor Browser 8.0a9 x64 (the first release that broke Sandboxie support): 2018-06-25 12:59
Release date of Tor Browser 8.0a8 x64 (the last release with working Sandboxie support): 2018-06-09 19:07
@DavidXanatos I asked for help on the #tor IRC channel, so I have new interesting findings for this issue.
In short, this Sandboxie crash also applies to other Firefox x64 builds that use the same non-official toolchain, so it can't be considered a specific Tor Browser issue anymore:
I have investigated the issue further and found the problem, it will be fixed in one of the upcoming builds
SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034] SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034] SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034] err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 15 - firefox.exe [C0000034] SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 15 - firefox.exe [C0000034] SBIE2203 Failed to communicate with the service Sandboxie: GUIPROXY_00000002; MsgId: 6 - firefox.exe [C0000034] err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox err=41020897 ... str1= ... str2= DefaultBox SBIE2203 Failed to communicate with the service Sandboxie: request C0000037 SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 14 - SandboxieRpcSs.exe [C0000080]