My Win7starter PC always runs the browser in a sandbox. My PC has no update programs making connections from outside of the sandbox and it doesn't run SandboxieBITS.exe or SandboxieCrypto.exe.
I also restrict my connections to HTTPS by blocking HTTP traffic in the software firewall. This week I experimented a little and allowed svchost to use HTTP and I also opened up a small number of CAs on port 80.
But before I relaxed HTTP I witnessed a hack being done which I didn't think was possible. The site that I connected to using HTTPS had been hacked already by the hacker and he was pretty certain that I would connect to it. This is because it's one of the few proxy servers that I connect to.
When I connect to, for example BC, I use that server. And there are a few other sites that I use which only accept HTTP.
So when I connected to the proxy server, the hacker took control of the connection and used that to communicate with the browser (which was running in the sandbox). This has almost the same effect as performing MiTM on an SSL/TLS connection but it's easier to do if you can hack the victim's preferred web sites beforehand.
What appeared to happen next was that the hacker managed to execute code on my PC. No alarms were raised. On one occasion the hacker managed to break out of the sandbox and disable the anti-virus, whilst I was watching. In fact he did that twice - the first time wasn't quite as neat and an error message was raised by the application.
This raises many questions:
i) Am I right to think that the browser has a 0-day vulnerability ?
For info: I upgraded to a beta version of chrome and one of these hacks happened after that. My MS updates are a little behind, currently sitting at end of May 2014. but that will change soon and I'll be almost bang up to date.
ii) How did the hacker break out of the sandbox ? Ans. It was not up to date, but it is now. It might be secure now but I'm not certain yet.
iii) Why didn't sandboxie notice new files appearing inside the sandbox and offer to recover them ?
iv) If something was executed, why didn't Comodo Defence+ pick that up ? Or was it being executed under the auspices of chrome ?
v) what can I do to detect any of this ?
vi) What evidence can I gather that would help google understand what this vulnerability is (assuming it's not because the MS patches are behind times at the moment) ?
I'm wondering if Sysmon is something that will help with the detection.
The proxy server isn't the only web site that's been attacked. The CDN servers of one my ISPs were hacked earlier this week and used to launch an attack on my PC over HTTPS.
It's strange witnessing all this, given my total unimportance.
Edit: it's plausible that the MS updates being behind allowed the hacker to elevate his privilege when the A/V was disabled. So getting up to date would help with that. I now do MS updates offline so that there's no HTTP outside the sandbox.
Edit2: I also noticed chrome connecting to my NAT router on port 53. That must have been part of the hacking. I now use the software firewall to keep the router out-of-bounds for chrome.
Edited by palerider2, 05 September 2014 - 02:07 AM.