CVE-2021-47883
📋 TL;DR
CVE-2021-47883 is an unquoted service path vulnerability in Sandboxie Plus's SbieSvc service that allows local attackers to execute arbitrary code with LocalSystem privileges. This affects users running Sandboxie Plus 0.7.2 on Windows systems. Attackers need local access to the system to exploit this vulnerability.
💻 Affected Systems
- Sandboxie Plus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with LocalSystem privileges, allowing attackers to install persistent malware, steal credentials, modify system configurations, and access all data on the system.
Likely Case
Local privilege escalation leading to installation of additional malware, credential harvesting, and lateral movement within the network.
If Mitigated
Limited impact if proper access controls, endpoint protection, and monitoring are in place to detect and block unauthorized service modifications.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 49631). Attackers need local access with ability to write to directories in the service path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.7.3 and later
Vendor Advisory: https://sandboxie-plus.com/
Restart Required: Yes
Instructions:
1. Download Sandboxie Plus version 0.7.3 or later from the official website. 2. Run the installer to upgrade. 3. Restart the system to ensure the updated service is running.
🔧 Temporary Workarounds
Manually quote service path
windowsModify the SbieSvc service configuration to use quoted paths in the registry
sc config SbieSvc binPath= "\"C:\Program Files\Sandboxie-Plus\SbieSvc.exe\""
Restrict directory permissions
windowsSet strict ACLs on directories in the service path to prevent unauthorized writes
icacls "C:\Program Files\Sandboxie-Plus" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from writing to directories in the service path
- Monitor for suspicious service modifications and unauthorized executable creation in system directories
🔍 How to Verify
Check if Vulnerable:
Check if Sandboxie Plus version is 0.7.2 and examine the SbieSvc service path in registry: reg query "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /v ImagePathCheck Version:
Check Sandboxie Plus version in the application or via: wmic product where "name like 'Sandboxie%'" get versionVerify Fix Applied:
Verify Sandboxie Plus version is 0.7.3 or later and check that the service path in registry contains quotes around the executable path📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service path modifications (Event ID 7040)
- Creation of unexpected executables in Sandboxie installation directory
- Unusual service startups or privilege escalation attempts
Network Indicators:
- Unusual outbound connections from system processes following service modifications
SIEM Query:
EventID=7040 AND ServiceName="SbieSvc" OR ProcessCreation WHERE ImagePath contains "Sandboxie-Plus" AND NOT ImagePath contains '"'