Sammy12342

**Name of the Vulnerable Software and Affected Versions** Sandboxie versions prior to 1.17.3 **Description** A local denial of service exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL (Input/Output Control) to the 'DeviceSandboxieDriverApi' driver, triggering an immediate kernel crash resulting in a Blue Screen of Death (BSOD). This issue affects the Standard Sandbox configuration regardless of whether administrator privileges are dropped, but it does not affect the Security Hardened Sandbox configuration. **Recommendations** Update to version 1.17.3. As a temporary workaround, use the Security Hardened Sandbox configuration.

**Name of the Vulnerable Software and Affected Versions** Sandboxie-Plus versions prior to 1.17.3 **Description** An INI injection issue allows a standard local user to bypass configuration restrictions, specifically `EditAdminOnly` and `ConfigPassword`, to inject arbitrary directives into the global Sandboxie.ini configuration file. The background service fails to perform authorization checks for IPC (Inter-Process Communication) messages targeting sections starting with `UserSettings ` and does not sanitize CRLF (Carriage Return Line Feed) characters in the value parameter via `MSGID SBIE INI ADD SETTING` or the setting name parameter via `MSGID SBIE INI SET SETTING`. This allows an attacker to inject a new sandbox section header with unrestricted permissions, leading to sandbox escape and SYSTEM privilege escalation. **Recommendations** Update to version 1.17.3.

**Name of the Vulnerable Software and Affected Versions** Sandboxie-Plus versions prior to 1.17.3 **Description** The SbieSvc proxy service's `GetRawInputDeviceInfoSlave()` handler contains an information leak and a stack buffer overflow. An information leak occurs when a sandboxed process sends an IPC request with `cbSize` set to 0, causing up to 32KB of uninitialized stack memory to be returned. This leaks return addresses and stack cookies, bypassing Address Space Layout Randomization (ASLR) and /GS protections. Additionally, the handler performs a `memcpy` operation using an attacker-controlled length without verifying if it fits within the 32KB stack buffer. By chaining these issues, a sandboxed process can execute a Return-Oriented Programming (ROP) chain—a technique that strings together small pieces of existing executable code—to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not stop the information leak. **Recommendations** Update to version 1.17.3.