Sandboxie-Plus TOCTOU Race Condition Vulnerability in Addon Installation Allows Local Privilege Escalation

A local privilege escalation vulnerability has been identified in Sandboxie-Plus versions through 1.17.2. The issue arises from a Time-of-Check-to-Time-of-Use (TOCTOU) race condition during the installation of addons. When an addon is installed via the SandMan interface, UpdUtil.exe is executed with SYSTEM privileges by the SbieSvc service. However, UpdUtil stages files in a user-writable temporary directory. After verifying the integrity of the downloaded files against the signed addon manifest, UpdUtil extracts and executes a configuration file from the addon. This process creates a window of opportunity for an unprivileged user to replace the legitimate addon file with a malicious one, which is then executed with SYSTEM rights, bypassing any User Account Control prompts.

Impact

Exploitation of this vulnerability allows unprivileged users to execute arbitrary code as the SYSTEM user, with full administrative privileges.

Reproduction

To reproduce this vulnerability, first ensure that Sandboxie-Plus is installed and that the SbieSvc service is running. Then, create a malicious cabinet file containing an executable payload, such as a renamed version of cmd.exe. This crafted file can be uploaded to the temporary directory used by the UpdUtil addon installation process. Once the malicious file is in place, initiate the installation of an addon through the SandMan interface. The UpdUtil service will verify the file hashes before extraction, but the race condition allows for the replacement of the addon files with the malicious version before it is executed, successfully exploiting the vulnerability.

Remediation

Users can update to Sandboxie-Plus version 1.17.3, where this vulnerability has been fixed.