Sandboxie Denial-of-Service Vulnerability via Program Alerts Buffer Overflow

A denial-of-service vulnerability has been identified in Sandboxie version 5.30. This issue allows local attackers to crash the application by entering an excessively long string, specifically a buffer of 5000 characters, into the 'Select or enter a program' field within the Program Alerts configuration. The vulnerability arises from the application's failure to properly handle such large inputs, leading to a crash.

Impact

Exploiting this vulnerability causes the Sandboxie application to crash, disrupting any active sessions or processes running within the sandbox environment.

Reproduction

To reproduce this vulnerability, first create a text file containing a 5000-character buffer of repeated characters. This file can be generated using a simple Python script. After creating the file, copy the contents to the clipboard. Then, open Sandboxie Control and navigate to 'Configure' > 'Program Alerts'. Click 'Add Program', paste the clipboard contents into the 'Select or enter a program' field, and click 'OK'. Finally, click 'OK' again to confirm, which will result in the application crashing.