Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed header size to a caller-controlled value_len without overflow checking. A large value_len (e.g., 0xFFFFFFF0) wraps the allocation size, causing a heap overflow when attacker data is copied into the undersized buffer. This allows sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. This issue is fixed in version 1.16.7.
The system service SbieSvc.exe exposes the SbieIniServer::RC4Crypt procedure to processes running in the sandbox. The handler for this procedure adds a fixed header size to a value_len value controlled by the caller without checking for integer overflow. Passing a sufficiently large value_len (e.g., 0xFFFFFFF0) causes the calculated allocation size to wrap around (integer overflow/wraparound), resulting in an undersized heap buffer being allocated. The attacker-supplied data is then copied into this undersized buffer, causing a heap overflow and allowing the attacker to control code execution.
A malicious process launched inside the sandbox can execute arbitrary code (RCE) with SYSTEM privileges on the host machine, completely compromising the operating system and breaking out of the sandbox isolation.
Sandboxie-Plus should be updated to version 1.16.7, where the issue has been fixed. The update is available in the project repository: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.7
Sandboxie-Plus (Sandboxie) in versions 1.16.6 and earlier, running on 32-bit and 64-bit Windows systems based on NT.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XSandboxie Plus Sandboxie
APPSandboxie-Plus1.14.0 – 1.16.7 (bez)
Related vulnerabilities
INI injection w Sandboxie-Plus umożliwia eskalację uprawnień do SYSTEM
Sandboxie: nieautoryzowany odczyt plików między użytkownikami (path traversal)
Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system("cmd") or os.system...
Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a lo...
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier,...