Vulnerability Reporting - Sandboxie Installer DLL Hijacking Vulnerbility [SOLVED]

[Syrinx]

OK so upon further testing I was able to reproduce my results using OLDER installers, eg I had a beta from 5.07 where I could see the reported behavior (so I'm thinking I used that one the morning I said I was able to repro). However using the current 5.20 release or 5.21.2 beta installer I can NOT reproduce this so it appears to have been solved previously?

On another note, even with the 5.07 installer, I found I was unable to reproduce this by simply loading the installer. It had to actually be ran and installing the version. Around the time the file copy was performed and the installer would show 'Completed' after hitting Install/Next but before the driver initialization it would load the dlls from the temp directory(or wherever the installer and dlls resided).

[Barb@Invincea]

Hello bayinmin,

We have tested a combination of scenarios based on the reported issue and were not able to reproduce the problem with the current Sandboxie installer.
However, we were able to see the behavior with Beta 5.07:

Installer: SandboxieInstall-507-1.exe - SandboxieInstall-507-8 (no longer available on our website, since Beta 5.07 was replaced with Sandboxie 5.08RC on February 2016).

Copied fake dwmapi and profapi(32 bits) dll files to the %temp% folder.
Fake dlls started running as soon as the installation of Sandboxie Beta 5.07 started.

Every other scenario tested (including 5.08RC) did not present the problem and the dlls were properly loaded from system folders instead.

At this point, we can state that this vulnerability was fixed long time ago and it only affected a specific Beta version of the program (5.07). However, if you have any other steps you'd like us to review, please post them here and we will test them.

Regards,
Barb.-