Sandbox Escapes

Attack Hacking 101

A sandbox is any environment used to isolate a computer process away from other processes, as well as the host. The process that is being isolated is called the guest. The computer that houses the sandbox (with guest) is called the host. A sandbox escape is any type of exploit that allows the guest process to break free of the constraints of the sandbox, and access the host and/or outside world resources directly.

The sandbox provides a constrained interface (shell) for the guest to operate in. If the guest manages to escape, it has escalated privilege and upgraded its shell to that of the host environment.

Examples of sandboxes include the following.

Sandbox Type


Virtual machines

Entire operating systems run within their own environments. From a networking perspective, the virtual machine behaves like any other host on the network, with its own IP address and services that serve clients. Most data centers use virtual machines to reduce cost.

Docker containers

Self-contained applications run in lightweight virtual machines, sharing resources with the host OS kernel.

Web browsers

Browsers run in low-privilege sandbox mode. If they become compromised, the damage they do will be limited.

Web browser plug-in content

Plug-ins like Microsoft Silverlight and Adobe Flash isolate games and multimedia they run. This is more controlled and secure than if the games were to run on a desktop.

Web pages

The browser sandboxes web pages it loads. Scripts that run are restricted from accessing the host file system.

Mobile apps

Android, iOS, and Windows 8 apps are each run in their own sandbox, separate from the host OS and each other. If the app wants to access resources such as location, camera, contacts, etc., it must ask permission.

PDFs and documents

PDFs are prevented from escaping the PDF viewer. Microsoft Office documents are run in sandbox mode to prevent unsafe macros from running.

Unknown file temporary quarantine/scanning

As you upload or download files, either the website or your anti-malware application will temporarily quarantine the files for scanning.

Antivirus quarantine

Antivirus programs detect and quarantine viruses and malware.

Attachment sandboxing

Email attachments or downloaded files are quarantined and tested before upload/download.

Sandbox Exploits

Although sandboxes are meant to be tightly controlled, there have been cases where a guest process escapes the sandbox and is able to run code on the host or interfere with another sandboxed process. Notable examples include the following.




CVE-2017-4901 – VMware Escape Exploit before VMware WorkStation 12.5.5

  • Drag and drop functionality in VMWare Workstation 12.x (pre-12.5.5) has an out-of-bounds memory access vulnerability.
  • A guest may be able to execute code on the host OS.

CVE-2016-3321 – Internet Explorer Iframe Sandbox File Name Disclosure

  • When used with HTML5 sandbox iframes, IE can disclose the existence of a local file on the host.
  • Works against IE 10 & 11.

Metasploit module auxiliary/gather/ie_sandbox_findfiles

CVE-2015-0016, MS15-004 – Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape

  • Targets the MS RemoteApp and Desktop connections runtime proxy TSWbPrxy.exe.
  • Allows the attacker to escape Protected Mode and execute code.

Metasploit module exploit/windows/local/ms15_004_tswbproxy

Note: For more Metasploit modules related to sandboxes, at the msf console, enter search sandbox.

Virus and Malware Sandbox Evasion Techniques

Authors of viruses and malware use sandbox evasion techniques to help their malicious files and code avoid detection while being scanned. Common techniques include the following.

Evasion Technique


Extended sleep

The malware uses extended sleep calls to simply “wait out” the anti-malware analysis time period.

Polymorphic malware

Malware adds garbage code to itself every time it runs in an effort to change its signature.

Rootkits and bootkits

Malware attempts to replace parts of the operating system so it can control the system and subvert the anti-malware detection process.

Sandbox detection

Malware will try to scan the virtual environment to determine if it has been sandboxed, and to fingerprint the sandbox.

Encrypted archives

Malware is encrypted into an archive or .zip file. The user is socially engineered into opening the package and infecting their system.

Botnet command and control

Trick the user into installing “clean” code (a dropper) onto a target machine. That code then connects to a malicious site or IP to download malware.

Logic bombs

The malicious part of the code lies dormant until an event (such as the date) triggers it.

Binary packers

Small routines that alter the malware, encrypting and obfuscating it so that it cannot be easily analyzed by antivirus software.

Network fast flux

Botnets use a rapidly changing network of compromised hosts, making it difficult to keep up with constantly changing IP addresses and DNS names.

Leave a Reply

Your email address will not be published. Required fields are marked *