Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Isolation enhancement] Block elevated processes from manipulating local user accounts #553

Closed
hg421 opened this issue Feb 12, 2021 · 1 comment
Closed

[Isolation enhancement] Block elevated processes from manipulating local user accounts #553

hg421 opened this issue Feb 12, 2021 · 1 comment
Labels
Bug Something isn't working fixed in next build Fixed in the next Sandboxie version Workaround Temporary or alternative solution

Comments

@hg421
Copy link
Contributor

hg421 commented Feb 12, 2021

It seems that Sandboxie fails to block sandboxed elevated processes from manipulating local user accounts.

For example, by running net user USERNAME PASSWORD from an elevated command prompt it is possible to set a new password for any local user account on the machine.
It is also possible to modify group membership, e.g. adding/removing user accounts from the local Administrators group.
Also you can completely remove a user with net user USERNAME /DELETE.

screen
(Those commands really affect the "real" user account and are not isolated in the sandbox)

I think that sandboxed processes should definitely be disallowed from making such changes...
@DavidXanatos DavidXanatos added the ToDo To be done label Feb 12, 2021
@DavidXanatos
Copy link
Member

There is a temporary workaround,
ClosedIpcPath=\RPC Control\samss lpc
collateral damage unknown, but it solves the issue

I'll have to add a IPC port filter for that one to properly only block requests that are problematic while allowing read only queries

@DavidXanatos DavidXanatos added Workaround Temporary or alternative solution Bug Something isn't working labels Feb 12, 2021
@bastik-1001 bastik-1001 mentioned this issue Feb 13, 2021
Closed
@DavidXanatos DavidXanatos added fixed in next build Fixed in the next Sandboxie version and removed ToDo To be done labels Feb 13, 2021
@isaak654 isaak654 mentioned this issue Feb 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working fixed in next build Fixed in the next Sandboxie version Workaround Temporary or alternative solution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DavidXanatos @hg421