A sandbox is any environment used to isolate a computer process away from other processes, as well as the host. The process that is being isolated is called the guest. The computer that houses the sandbox (with guest) is called the host. A sandbox escape is any type of exploit that allows the guest process to break free of the constraints of the sandbox, and access the host and/or outside world resources directly.
The sandbox provides a constrained interface (shell) for the guest to operate in. If the guest manages to escape, it has escalated privilege and upgraded its shell to that of the host environment.
Examples of sandboxes include the following.
Entire operating systems run within their own environments. From a networking perspective, the virtual machine behaves like any other host on the network, with its own IP address and services that serve clients. Most data centers use virtual machines to reduce cost.
Self-contained applications run in lightweight virtual machines, sharing resources with the host OS kernel.
Browsers run in low-privilege sandbox mode. If they become compromised, the damage they do will be limited.
Web browser plug-in content
Plug-ins like Microsoft Silverlight and Adobe Flash isolate games and multimedia they run. This is more controlled and secure than if the games were to run on a desktop.
The browser sandboxes web pages it loads. Scripts that run are restricted from accessing the host file system.
Android, iOS, and Windows 8 apps are each run in their own sandbox, separate from the host OS and each other. If the app wants to access resources such as location, camera, contacts, etc., it must ask permission.
PDFs and documents
PDFs are prevented from escaping the PDF viewer. Microsoft Office documents are run in sandbox mode to prevent unsafe macros from running.
Unknown file temporary quarantine/scanning
As you upload or download files, either the website or your anti-malware application will temporarily quarantine the files for scanning.
Antivirus programs detect and quarantine viruses and malware.
Email attachments or downloaded files are quarantined and tested before upload/download.
Although sandboxes are meant to be tightly controlled, there have been cases where a guest process escapes the sandbox and is able to run code on the host or interfere with another sandboxed process. Notable examples include the following.
CVE-2017-4901 - VMware Escape Exploit before VMware WorkStation 12.5.5
- Drag and drop functionality in VMWare Workstation 12.x (pre-12.5.5) has an out-of-bounds memory access vulnerability.
- A guest may be able to execute code on the host OS.
CVE-2016-3321 - Internet Explorer Iframe Sandbox File Name Disclosure
- When used with HTML5 sandbox iframes, IE can disclose the existence of a local file on the host.
- Works against IE 10 & 11.
Metasploit module auxiliary/gather/ie_sandbox_findfiles
CVE-2015-0016, MS15-004 - Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape
- Targets the MS RemoteApp and Desktop connections runtime proxy TSWbPrxy.exe.
- Allows the attacker to escape Protected Mode and execute code.
Metasploit module exploit/windows/local/ms15_004_tswbproxy
Note: For more Metasploit modules related to sandboxes, at the msf console, enter search sandbox.
Virus and Malware Sandbox Evasion Techniques
Authors of viruses and malware use sandbox evasion techniques to help their malicious files and code avoid detection while being scanned. Common techniques include the following.
The malware uses extended sleep calls to simply "wait out" the anti-malware analysis time period.
Malware adds garbage code to itself every time it runs in an effort to change its signature.
Rootkits and bootkits
Malware attempts to replace parts of the operating system so it can control the system and subvert the anti-malware detection process.
Malware will try to scan the virtual environment to determine if it has been sandboxed, and to fingerprint the sandbox.
Malware is encrypted into an archive or .zip file. The user is socially engineered into opening the package and infecting their system.
Botnet command and control
Trick the user into installing "clean" code (a dropper) onto a target machine. That code then connects to a malicious site or IP to download malware.
The malicious part of the code lies dormant until an event (such as the date) triggers it.
Small routines that alter the malware, encrypting and obfuscating it so that it cannot be easily analyzed by antivirus software.
Network fast flux
Botnets use a rapidly changing network of compromised hosts, making it difficult to keep up with constantly changing IP addresses and DNS names.