How can the sandboxed exe create file in c:?

[tohghua]

Describe what you noticed and did

1. Download test.exe from https://cowtransfer.com/s/98e76eb3f5294a
2. Run it to install in a sandbox, the installer will automatically run the program. See https://cowtransfer.com/s/360bb2f7b83348
3. Input anything such as “a” and press Ok button, it will create c:\CarpaBrowserCache

The problem is why the program can break through the sandbox to create folder directly in disk.

How often did you encounter it so far?

No response

Affected program

test.exe

Download link

https://cowtransfer.com/s/98e76eb3f5294a

Where is the program located?

The program is installed only inside a sandbox (NOT in the real system anyway).

Expected behavior

It should unable to create file/folder in c:

What is your Windows edition and version?

win10

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

none

What version of Sandboxie are you running?

Sandboxie Plus 1.9.8

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

No response

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response

[DavidXanatos]

I cant reproduce this anyone else being able to reproduce this issue?

[coltsfootrock]

Not really too sure what I did to reproduce it as the exe was not in English my native language. Just downloaded it and ran in in yellow Sbie+ box and clicked on the highlighted boxes during the install.
Used a yellow box

[offhub]

sbiecbtest.mp4

[offhub]

ClosedClsid={00021401-0000-0000-C000-000000000046}

[bastik-1001]

It appears as if messing with the HKCU does not require a process to be elevated, whereas it needs to be for messing with HKLM?

Does this affect the boxes where the processes are not allowed to be started elevated? And what about security hardened boxes?

[DavidXanatos]

the registry changes should be contained within the box, did you observed otherwise?
in case of this specific browser bug it seams it arises when allowing to communicate with a unsandboxed windows component
try removing Template=OpenWinInetCache from [DefaultTemplates] in the templates.ini

[bastik-1001]

did you observed otherwise?

No, I did not. My comment was based on the ClosedClsid={00021401-0000-0000-C000-000000000046} being suggested as a possible workaround.

[offhub]

This can also be used as a workaround.

NormalIpcPath=\RPC Control\webcache_*

[isaak654]

Considering the OpenWinInetCache template:

Sandboxie/Sandboxie/install/Templates.ini

Lines 462 to 470 in 169344d

	#
	# Sbie builds after 5.27-1 opens this (it breaks IE's source view and cache though)
	#
	[Template_OpenWinInetCache]
	OpenClsid={0358B920-0AC7-461F-98F4-58E32CD89148}
	OpenIpcPath=\RPC Control\webcache_*
	OpenIpcPath=*\BaseNamedObjects\windows_webcache_counters_*

• 1 - Is there a way to configure it so that it is only applied under certain conditions (such as the presence or absence of specific registry keys/files/folders)?

• 2.1 - What about replacing line 468 with OpenIpcPath=!executable.exe,\RPC Control\webcache_* ?

• 2.2 - What about using a similar approach for line 645 below to keep some consistency (or even removing the duplicate line if needed)?
  

  Sandboxie/Sandboxie/install/Templates.ini

  Lines 639 to 647 in 169344d

  	[Template_IExplore_Cookies_DirectAccess]
  	Tmpl.Title=#4328,Internet Explorer
  	Tmpl.Class=WebBrowser
  	OpenFilePath=iexplore.exe,%Cookies%
  	# Internet Explorer 10 cookies
  	OpenClsid={0358b920-0ac7-461f-98f4-58e32cd89148}
  	OpenIpcPath=\RPC Control\webcache_*
  	OpenIpcPath=*\BaseNamedObjects*\windows_webcache_*
  	OpenFilePath=%Local AppData%\Microsoft\Internet Explorer\DOMStore\*