CVE-2024-49360
📋 TL;DR
This vulnerability in Sandboxie allows authenticated users to read files from other users' sandbox folders, bypassing intended isolation. An attacker can access sensitive data from other users' sandboxed processes. All users running vulnerable Sandboxie versions on Windows NT-based systems are affected.
💻 Affected Systems
- Sandboxie
- Sandboxie-Plus
📦 What is this software?
Sandboxie by Sandboxie Plus
Sandboxie by Sandboxie Plus
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all sandboxed data across all users on the system, allowing data theft and potential privilege escalation through sensitive file access.
Likely Case
Unauthorized reading of other users' sandboxed files containing sensitive information like documents, credentials, or application data.
If Mitigated
Limited impact if strict access controls are enforced and users don't share systems, though isolation guarantees are still broken.
🎯 Exploit Status
Requires authenticated access and use of explorer.exe or cmd.exe outside sandbox. No public exploit code available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-4chj-3c28-gvmp
Restart Required: No
Instructions:
No official patch available. Monitor vendor advisory for updates.
🔧 Temporary Workarounds
Restrict Sandbox Directory Permissions
windowsManually set restrictive ACLs on C:\Sandbox\ directories to prevent cross-user access
icacls "C:\Sandbox" /inheritance:r /grant:r "%USERNAME%:(OI)(CI)F" /deny "Everyone:(OI)(CI)F"
Disable Sandboxie Usage
windowsTemporarily stop using Sandboxie until patch is available
🧯 If You Can't Patch
- Implement strict user separation - ensure users don't share systems running Sandboxie
- Monitor C:\Sandbox\ directory access attempts and file read operations for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Test if UserA can read files from C:\Sandbox\UserB\ directory using explorer.exe or cmd.exe outside sandboxCheck Version:
Check Sandboxie version in application or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\SandboxieVerify Fix Applied:
Check vendor advisory for patch announcement and verify cross-user sandbox isolation works📡 Detection & Monitoring
Log Indicators:
- File access events to C:\Sandbox\ directories from users other than the owner
- Process creation events for explorer.exe or cmd.exe accessing sandbox directories
Network Indicators:
- None - local vulnerability only
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE 'C:\\Sandbox\\%' AND SubjectUserName != ObjectOwner