[CVE-2017–12480] Sandboxie installer — DLL Hijacking or Unsafe DLL Loading Vulnerability
--
1. Overview & Impact
Sandboxie installer was vulnerable to DLL hijacking. The product did not verify the authenticity of the DLL file before loading thus a malicious individual or program may leverage this vulnerability to execute arbitrary code on the targeted machine.
2. Product Description
Sandboxie — Sandbox security software for Windows. Install and run programs in a virtual sandbox environment without writing to the hard drive.
3. PROOF-OF-CONCEPT
1. Upon installation of affected exe file, the installer searched for non-existent dwmapi.dll and profapi.dll files from C:\Users\<username>\AppData\Local\Temp directory
2. To leverage this, created customised DLL shell code with arbitrary command ( eg. launching calc.exe) renamed as affected DLLs name and placed in the same directory
3. After placing the malicious DLL, clicked the installer again for installation. Subsequently, installer loaded these malicious DLLs file without verification and resulting in code execution.
4. Additionally, it was noted that SandboxieInstall-64-bit-5071703.exe was created in same affected directory when the main SandboxieInstall.exe was run. SandboxieInstall-64-bit-5071703.exe was similarly vulnerable to DLL hijacking.
Affected DLL
- dwmapi.dll,
- profapi.dll
Version Affected
Tested in the following version:
- SandboxieInstall.exe for SandboxieInstall-64-bit-5071703.exe
- SandboxieInstall-64-bit-5071703.exe
Credit
This vulnerability was discovered by Min Thu Han
Disclosure Timeline
- 03–08–2017: Notified Vendor
- 03–08–2017: Vendor replied to post vulnerability report in publicly accessible Sandboxie forum
- 04–08–2017: Requested to MITRE for CVE
- 06–08–2017: Vulnerability disclosed
- 06–08–2017: Vulnerability report posted in Vendor forum










