Headline
CVE-2022-28067: Sandbox breakout bug (details omitted) · Issue #1714 · sandboxie-plus/Sandboxie
An incorrect access control issue in Sandboxie Classic v5.55.13 allows attackers to cause a Denial of Service (DoS) in the Sandbox via a crafted executable.
What happened?
The details of this bug have been sent to @DavidXanatos by email on March 21. This issue only serves to track the fixing (that is, if this is confirmed to be a real bug) progress publicly.
In short, I’ve found a bug in Sandboxie that presumably lets an attacker break out of the sandbox. This has yet to be confirmed by the developers, though.
To Reproduce
Described in the email.
Expected behavior
Sandboxed programs should not be allowed to escape.
What is your Windows edition and version?
Windows 10 Home 20H2 (19042.1466) 64-bit
In which Windows account you have this problem?
A local or Microsoft account without special changes.
Please mention any installed security software
Built-in realtime protection in Windows 10
What version of Sandboxie are you running?
Sandboxie Classic v5.55.13 64-bit
Is it a regression?
No response
List of affected browsers
No response
In which sandbox type you have this problem?
I only reproduced it with Sandboxie Classic.
Is the sandboxed program also installed outside the sandbox?
No, it is not installed in the real system.
Can you reproduce this problem on an empty sandbox?
I can confirm it also on an empty sandbox.
Did you previously enable some security policy settings outside Sandboxie?
No response
Crash dump
No response
Trace log
No response
Sandboxie.ini configuration
No response
Sandboxie-Plus.ini configuration (for Plus interface issues)
No response