[CVE-2017–12480] Sandboxie installer — DLL Hijacking or Unsafe DLL Loading Vulnerability

Ba Yin Min
Aug 6, 2017 · 1 min read

1. Overview & Impact

Sandboxie installer was vulnerable to DLL hijacking. The product did not verify the authenticity of the DLL file before loading thus a malicious individual or program may leverage this vulnerability to execute arbitrary code on the targeted machine.

2. Product Description

Sandboxie — Sandbox security software for Windows. Install and run programs in a virtual sandbox environment without writing to the hard drive.

3. PROOF-OF-CONCEPT

1. Upon installation of affected exe file, the installer searched for non-existent dwmapi.dll and profapi.dll files from C:\Users\<username>\AppData\Local\Temp directory

2. To leverage this, created customised DLL shell code with arbitrary command ( eg. launching calc.exe) renamed as affected DLLs name and placed in the same directory

3. After placing the malicious DLL, clicked the installer again for installation. Subsequently, installer loaded these malicious DLLs file without verification and resulting in code execution.

4. Additionally, it was noted that SandboxieInstall-64-bit-5071703.exe was created in same affected directory when the main SandboxieInstall.exe was run. SandboxieInstall-64-bit-5071703.exe was similarly vulnerable to DLL hijacking.

Affected DLL

  • dwmapi.dll,
  • profapi.dll

Version Affected

Tested in the following version:

  • SandboxieInstall.exe for SandboxieInstall-64-bit-5071703.exe
  • SandboxieInstall-64-bit-5071703.exe

Credit

This vulnerability was discovered by Min Thu Han

Disclosure Timeline

  • 03–08–2017: Notified Vendor
  • 03–08–2017: Vendor replied to post vulnerability report in publicly accessible Sandboxie forum
  • 04–08–2017: Requested to MITRE for CVE
  • 06–08–2017: Vulnerability disclosed
  • 06–08–2017: Vulnerability report posted in Vendor forum
Ba Yin Min

Written by

Pentester. Application & Cyber Security enthusiast. Insatiable learner.