Sandboxie Arithmetic Overflow Vulnerability in API_GET_SECURE_PARAM Leading to Buffer Overflow

A vulnerability in Sandboxie versions 1.3.0 prior to 1.15.12 allows for an arithmetic overflow in the API_GET_SECURE_PARAM function. This overflow results in a small memory allocation that is subsequently overwritten by a large amount of data, causing a buffer overflow. The issue can be exploited by any process on the system, except those running in a sandboxed environment.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to memory corruption. In the worst-case scenario, this could be exploited to execute arbitrary code with the privileges of the user running the process.

Reproduction

The vulnerability can be reproduced by compiling and executing a proof-of-concept (PoC) program that interacts with the Sandboxie driver API. The PoC must allocate a wide string parameter larger than what can be safely handled, causing the API_GET_SECURE_PARAM function to perform an arithmetic overflow. This miscalculation leads to a small buffer being allocated, which is then overflowed with the large string, corrupting memory and causing a system crash.

Remediation

Users can upgrade to Sandboxie version 1.15.12 or later, where this vulnerability has been fixed.