Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.0.22] OpenClipboard=n does not block clipboard if the program is "Forced Running" #1919

Closed
SiNONiMiTY opened this issue Jun 2, 2022 · 5 comments
Closed

[1.0.22] OpenClipboard=n does not block clipboard if the program is "Forced Running" #1919

SiNONiMiTY opened this issue Jun 2, 2022 · 5 comments
Labels
fixed in next build Fixed in the next Sandboxie version Issue reproduced Issue reproduced without uncertainties Workaround Temporary or alternative solution

Comments

@SiNONiMiTY
Copy link

SiNONiMiTY commented Jun 2, 2022
edited

What happened?

Title says, here are the scenarios that were tested.

❌ A program executed from ForceFolder can still access the clipboard.
❌ A program executed via ForceProcess can still access the clipboard.
✔ Manually running the program via context menu and selecting the sandbox with OpenClipboard=n set works properly, it cannot access the clipboard.

I will be using DefaultBox (Hardened) with OpenClipboard=n and ForceFolder=D:\Downloads for testing.

See the following images for the scenarios

[SCENARIO 1 - Forced Running]

  1. Copy a random text.
    image

  2. Directly execute the program on the forced location "D:\Downloads"
    image
    image

  3. Verify if the status if Forced Running
    image

  4. Paste the copied text from step 1.
    image

[SCENARIO 2 - Running]

  1. Copy a random text.
    image

  2. Execute the program via the Sandboxie Context Menu
    image
    image

  3. Verify if the status if Running
    image

  4. Paste the copied text from step 1.
    image

Download link

N/A

To Reproduce

No response

Expected behavior

Clipboard access must be blockd

What is your Windows edition and version?

Windows 10 Pro Education 21H2 x64 (19044.1706)

In which Windows account you have this problem?

A local or Microsoft account without special changes.

Please mention any installed security software

Symantec Endpoint Protection 14.3

What version of Sandboxie are you running?

1.0.22

Is it a regression?

No response

List of affected browsers

No response

In which sandbox type you have this problem?

Not relevant to my request.

Where is the program located?

Not relevant to my request.

Can you reproduce this problem on an empty sandbox?

Not relevant to my request.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response
@SiNONiMiTY SiNONiMiTY added the Confirmation pending Further confirmation is requested label Jun 2, 2022
@SiNONiMiTY
Copy link
Author

While working on this, I think it is good to include issue #1367

@RandomGOTI
Copy link

The option never worked for me , maybe it wasn't supposed to
Windows 7 Ultimate SP1 x64
Plus 1.1.0 x64
Also tested Plus 0.7.5 x64 when the feature was added

@DavidXanatos DavidXanatos added the High priority To be done as soon as possible label Jun 4, 2022
@DavidXanatos DavidXanatos added Workaround Temporary or alternative solution Issue reproduced Issue reproduced without uncertainties and removed Confirmation pending Further confirmation is requested High priority To be done as soon as possible labels Jul 21, 2023
@DavidXanatos
Copy link
Member

I have investigated this issue and it seams when a process is started on windows 10 using force process, the process gets associated with a job object of windows, this prevents sandboxie from using its own job object to restrict the program, you can use ForceRestartAll=y to workaround this issue.
I'll have to look into this can be fixed properly, we could add a usemode version of OpenClipboard=n which would not be as secure but would do the job in most cases

@DavidXanatos DavidXanatos added the High priority To be done as soon as possible label Jul 21, 2023
@DavidXanatos
Copy link
Member

So here is my analysis of the issue, it seams that on modern windows 10 the PcaSvc service when attaching a job to a process does that asynchronously such that we fail to notice this during process creation and this results in our own sandboxing job when being attached, being so only in a limited way, what breaks the clipboard isolation.
ForceRestartAll=y is a good workaround, but what would be even better would be to properly detect and handle this event.
This issue may in fact be responsible for a few other force process related issues reported in the past.

@DavidXanatos DavidXanatos added fixed in next build Fixed in the next Sandboxie version and removed High priority To be done as soon as possible labels Jul 22, 2023
@DavidXanatos
Copy link
Member

I have fixed the PCA job detection it now re tests that after the process was started,
and I have added a user mode aspect to OpenClipboard=n up side is that it now also works for green boxes, although without any guarantees.

@DavidXanatos DavidXanatos mentioned this issue Sep 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fixed in next build Fixed in the next Sandboxie version Issue reproduced Issue reproduced without uncertainties Workaround Temporary or alternative solution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DavidXanatos @SiNONiMiTY @RandomGOTI