Sandboxie-Plus Stack-Based Buffer Overflow Vulnerability in NamedPipeServer OpenHandler

A stack-based buffer overflow vulnerability has been identified in Sandboxie-Plus versions through 1.17.2. The issue arises in the NamedPipeServer::OpenHandler, which improperly handles the NAMED_PIPE_OPEN_REQ::server field by assuming it is null-terminated. This lack of validation allows a sandboxed caller to overwrite the server field with controlled data and append additional wide characters, leading to a buffer overflow in a fixed stack buffer within the SYSTEM service. This vulnerability creates a sandbox escape vector, potentially allowing for code execution with SYSTEM privileges or causing a crash of the SbieSvc service.

Impact

Exploitation of this vulnerability can cause a crash of the SbieSvc service and create a potential vector for code execution with SYSTEM privileges.

Reproduction

To reproduce this vulnerability, connect to the Sandboxie LPC/ALPC service port and send a message with MSGID_NAMED_PIPE_OPEN. The message must include a length greater than that of the NAMED_PIPE_OPEN_REQ structure. Set the name field to a valid pipe name, such as 'lsarpc', and fill the server field with non-zero wide characters. Append additional controlled wide characters after the structure to overflow the pipename buffer. Finally, ensure the message is terminated in a way that exceeds the buffer's capacity, triggering the overflow.

Remediation

Users are advised to update to Sandboxie-Plus version 1.17.3, where this vulnerability has been fixed.