Sandboxie-Plus Buffer Overflow Vulnerability in ProcessServer Handlers Allowing Potential Code Execution

A stack-based buffer overflow vulnerability has been identified in Sandboxie-Plus versions through 1.17.2. The issue arises in several ProcessServer handlers, including KillAllHandler, SuspendAllHandler, and RunSandboxedHandler. These handlers improperly handle WCHAR boxname fields by copying them into larger stack buffers without ensuring proper null termination. This flaw can be exploited by sending oversized packets through the service pipe, which accepts variable-length data. The vulnerability allows for a crash of the SbieSvc service and could potentially be exploited for code execution with SYSTEM privileges.

Impact

Exploitation of this vulnerability can lead to a crash of the SbieSvc service and potentially allow for code execution with SYSTEM privileges, escalating rights from an unprivileged local process.

Reproduction

To reproduce this vulnerability, connect to the Sandboxie service pipe, which is accessible to any local process. Send a message with an oversized packet that includes a non-terminated boxname field. Append controlled wide-character data after the struct and place the terminator after exceeding 39 characters, which will cause wcscpy to read past the intended buffer and overflow the stack.

Remediation

Users are advised to update to Sandboxie-Plus version 1.17.3, where this vulnerability has been fixed.