Vulnerability Reporting - Sandboxie Installer DLL Hijacking Vulnerbility [SOLVED]

[bayinmin]

Hi Sandboxie Team,

This is to report security vulnerability for Sandboxie installer. This report had been sent privately to the Sandboxie contact email and the support team replied that email only handles license related issues and technology issue has to go into the forum. Thus, the report is posted here.

1. Overview & Impact

Sandboxie installer was vulnerable to DLL hijacking. The product did not verify the authenticity of the DLL file before loading thus a malicious individual or program may leverage this vulnerability to execute arbitrary code on the targeted machine.

2. Product Description

Sandboxie — Sandbox security software for Windows. Install and run programs in a virtual sandbox environment without writing to the hard drive.

3. PROOF-OF-CONCEPT

1. Upon installation of affected exe file, the installer searched for non-existent dwmapi.dll and profapi.dll files from C:\Users\<username>\AppData\Local\Temp directory

2. To leverage this, created customised DLL shell code with arbitrary command ( eg. launching calc.exe) renamed as affected DLLs name and placed in the same directory

3. After placing the malicious DLL, clicked the installer again for installation. Subsequently, installer loaded these malicious DLLs file without verification and resulting in code execution.

4. Additionally, it was noted that SandboxieInstall-64-bit-5071703.exe was created in same affected directory when the main SandboxieInstall.exe was run. SandboxieInstall-64-bit-5071703.exe was similarly vulnerable to DLL hijacking.

Affected DLL
dwmapi.dll,
profapi.dll

Version Affected

Tested in the following version:
SandboxieInstall.exe for SandboxieInstall-64-bit-5071703.exe
SandboxieInstall-64-bit-5071703.exe

Disclosure Timeline

03–08–2017: Notified Vendor
03–08–2017: Vendor replied to post vulnerability report in publicly accessible Sandboxie forum
04–08–2017: Requested to MITRE for CVE
06–08–2017: Vulnerability disclosed
06–08–2017: Vulnerability report posted in Vendor forum

Ref: https://medium.com/@BaYinMin/cve-2017-1 ... 1ad0562f41

[Barb@Invincea]

Hello bayinmin,

Thanks for your report. We are looking into it.
Which version of Sandboxie did you install, and where did you download it from?

Regards,
Barb.-

[soccerfan]

Hello bayinmin,

Could you please also post the SHA1 and/or MD5 hash
for the sandboxie installer file that was used in the test?
Thanks.

[bayinmin]

Hello All,

Thank you for your replies.

The file was downloaded from the Sandboxie website.
Related informations are as follows:

md5
B415ED5C57620721421C5EA19790F150

sha1
5B3C0C5BA78A3C28436BF9480B6D183F2C7E8022

version
5.20 64bit

[Barb@Invincea]

Hello bayinmin,

I have passed the information to the devs.

We have tried to repro this scenario using many combinations and we were unable to (Tested on Windows 10, 8.1 and 7 x64).
Please provide the exact set of steps followed in order to test the behavior.

Regards,
Barb.-

[bayinmin]

Hello Support Team,

Please refer to the demonstration video.

https://www.youtube.com/embed/paOVF3IcexU

Thanks

[Barb@Invincea]

Hi bayinmin ,

I have sent the link to the devs. We are still unable to repro the issue.

We have tried adding Temp to the environment variables, but we are not seeing the installer looking for or using the files placed in the Temp location.
Have you made any changes to your environment variables?
From the video, it looks like you are running Windows 7, is that correct? Is there anything else running on the computer while reproducing the issue?

Could you please provide a procmon log reproducing the issue?
Download procmon.exe from https://docs.microsoft.com/en-us/sysint ... ds/procmon
Start procmon and reproduce the issue, then save the log and provide us the link (you will have to upload it to some free hosting website, as they tend to be big files).

Regards,
Barb.-

[Syrinx]

I was unable to locate such an installer tho my 'personal backup' directory of SBIE installers isn't exactly filled to the brim. The noted name itself seems similar but also quite wrong. If taken a certain way it looks like it might be a beta that isn't available but regardless I was not able to reproduce with public builds at this point tho I have not tested every single recent installer.

*YAWN*

[bayinmin]

Hi Support Team,

It was tested on Window 7. To the best of my memory that I can recall, no additional environmental variable change were made.

I have reproduced the steps again. The full log is certainly too big, so I filtered to Sandboxie related.
Please find here : https://drive.google.com/open?id=0B6Uzb ... WtiRDZTMVU

The following is the limited initial screenshot I still have from the initial testing



Thanks

[Syrinx]

While not a member of the support team I'd like to thank you for the PML. I'll try to take another look tomorrow, while sober, since at first glance it appears you were using a SBIE x64 5.20 installer but in my VM test just now on a Windows 7 x64 VM I was still unable to reproduce. In my latest attempt I was using a modified dwmapi.dll in the tmp dir but it still always loaded from trusted paths instead... I may need to try a full clean install tomorrow as the one I was working on isn't exactly virgin so maybe some policy or tweak has changed the outcome?!?

[Syrinx]

lol, I wasn't moving the installer into the temp directory but I can reproduce it now. I could see this being an issue while using the internal update function. Thanks and sorry I was so daft while trying to reproduce!

[bayinmin]

Glad to hear that It can be reproduced.
Thanks for the effort!

[Syrinx]

Sadly I may have to retract that. I got up to check it yesterday morning, before I had to go, so I wasn't very thorough. What happened was I did see activity in procmon where the installer would read and did a Load image on the local temp copy instead but did not check with procexp to see if ended up actually running. Even worse is that this morning I can't even reproduce that. I'll try to play with this more next week when I have more free time. =( Sorry if I've just added confusion on this matter but atm I'm not entirely sure if my results yesterday were correct.

[Barb@Invincea]

Hello bayinmin,

We have not been able to recreate the issue.
Can you please provide more information regarding the exact Windows version that you used?

Perhaps you can provide a copy of your dll files?

Regards,
Barb.-

[bayinmin]

Hi Barb,

Window 7 Ultimate was used to test. I have difficulties uploading the poc DLL file or send through mail as it is being blocked as malicious.

Thanks