Sandboxie-Plus Privilege Escalation Vulnerability via Uninitialized Memory Leak and Buffer Overflow

A vulnerability allowing sandbox escape and privilege escalation to SYSTEM has been identified in Sandboxie-Plus versions through 1.17.2. The issue arises in the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler, where an uninitialized memory leak and a stack buffer overflow can be exploited. The vulnerability chain begins when a sandboxed process sends an IPC request with the cbSize parameter set to 0, prompting the service to return up to 32KB of uninitialized stack memory. This leaked memory can contain sensitive information such as return addresses and stack cookies, which can be used to bypass security features like Address Space Layout Randomization (ASLR) and stack protection mechanisms. The second part of the vulnerability involves the handler's lack of proper bounds checking, allowing an attacker to manipulate the length of the data being copied into a stack buffer, leading to a buffer overflow. By combining the information leak with the overflow, a sandboxed process can execute a Return-Oriented Programming (ROP) chain to gain SYSTEM privileges, even within a Security Hardened Sandbox. While Intel's Control-flow Enforcement Technology (CET) can block the execution of the ROP chain, it does not address the underlying information leak, leaving a potential avenue for exploitation.

Impact

Exploitation of this vulnerability allows for a complete sandbox escape and unauthorized privilege escalation to SYSTEM, compromising the host operating system.

Reproduction

The vulnerability can be reproduced by sending a crafted IPC request to the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler. The request must have the cbSize parameter set to 0, which triggers the uninitialized memory leak. After the memory leak is successfully exploited, the stack buffer overflow can be triggered by sending an oversized payload that takes advantage of the handler's lack of bounds checking. This can be done using a C++ program that interfaces with the Sandboxie-Plus ALPC (Advanced Local Procedure Call) system, as demonstrated in the published Proof of Concept (PoC) available in the advisory.

Remediation

Users are advised to update to Sandboxie-Plus version 1.17.3, where this vulnerability has been fixed.