Sandboxie-Plus INI Injection Vulnerability Leading to Privilege Escalation

A vulnerability allowing INI injection has been identified in Sandboxie-Plus versions through 1.17.2. This issue enables standard local users to bypass configuration restrictions and inject arbitrary directives into the global Sandboxie.ini file. The vulnerability arises because the background service neglects authorization checks for IPC messages directed at UserSettings_ sections, allowing unauthorized modifications. Exploiting this flaw can lead to sandbox escape and escalation of privileges to SYSTEM.

Impact

Exploitation of this vulnerability allows local users to escape the sandbox environment and gain unrestricted SYSTEM privileges.

Reproduction

The vulnerability can be reproduced by sending a crafted IPC message to the Sandboxie-Plus background service. This can be done using the 'SbieDll_UpdateConf' function from 'SbieDll.dll', which is the application's IPC interface. The message must be directed to a 'UserSettings_' section, bypassing authorization checks. Injected CRLF characters in the 'value' or 'setting' parameters are not sanitized, allowing the insertion of new sandbox section headers that can be exploited for privilege escalation.

Remediation

Users are advised to update to Sandboxie-Plus version 1.17.3, which addresses this vulnerability.