David Xanat

**Name of the Vulnerable Software and Affected Versions** Sandboxie-Plus versions prior to 1.17.3 **Description** A Time-of-Check-to-Time-of-Use (TOCTOU) race condition occurs during addon installation. When installing an addon via the SandMan interface, the `SbieSvc` service spawns `UpdUtil.exe` with SYSTEM privileges, which stages files in the user-writable `%TEMP%sandboxie-updater` directory. After `UpdUtil.exe` verifies file hashes against the signed addon manifest, `install.bat` extracts `files.cab` and executes `config.exe`. An unprivileged user can replace `files.cab` with a crafted cabinet containing a malicious executable between the hash verification and extraction steps, leading to the execution of the malicious file as SYSTEM without requiring a UAC prompt. A TOCTOU race condition is a software bug where the state of a resource changes between the time it is checked and the time it is used. **Recommendations** Update to version 1.17.3.