Sandboxie-Plus Stack Buffer Overflow Vulnerability in SbieIniServer RunSbieCtrl Handler

A stack buffer overflow vulnerability has been identified in Sandboxie-Plus versions through 1.17.2. The issue arises in the SbieIniServer RunSbieCtrl message handler, which processes the MSGID_SBIE_INI_RUN_SBIE_CTRL message before performing standard sandbox and impersonation checks. For non-sandboxed callers, the handler improperly copies an oversized message payload into a fixed-size stack buffer without verifying the payload length, potentially leading to a crash of the SbieSvc service or allowing code execution with SYSTEM privileges. The vulnerability can be exploited by any local interactive process.

Impact

Exploitation of this vulnerability can cause a crash of the SbieSvc service and create a local privilege escalation opportunity, allowing code execution as SYSTEM.

Reproduction

To reproduce this vulnerability, connect to the Sandboxie service port from a non-sandboxed user process. Send a message with the MSGID_SBIE_INI_RUN_SBIE_CTRL identifier, ensuring that the message length exceeds the buffer size limit by including a payload of controlled wide characters. The service will then copy the oversized payload into a stack buffer, causing a buffer overflow.

Remediation

Users are advised to update to Sandboxie-Plus version 1.17.3, where this vulnerability has been fixed.