Sandboxie Plus (open source fork of Sandboxie)

[harlan4096]

Urgent security fixes (thanks @diversenok)

Build 5.46.0 resolves many box isolation issues some of them critical that could allow rogue applications to escape the sandbox. It is highly advised to upgrade quickly to the new builds. For further details please review the change log below.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Hotfix Changelog

Added

• added "RunServiceAsSystem=..." allows specific named services to be ran as system
  

Changed

• refactored some code around SCM access
  

Fixed

• fixed a crash issue in SbieSvc.exe introduced with the last build
  
• fixed issue with sandman ui update check
  

Removed

• removed "ProtectRpcSs=y" due to incompatybility with new isolation defaults
  

Release Changelog

Added

• Sandboxie now strips particularly problematic privileges from sandboxed system tokens
  -- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
  -- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
  
• added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
  -- those resources are open by default but for a hardened box its desired to close them
  
• added print spooler filter to prevent printers from being set up outside the sandbox
  -- the filter can be disabled with "OpenPrintSpooler=y"
  
• added overwrite prompt when recovering an already existing file
  
• added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
  
• added more compatybility templates (thanks isaak654)
  

Changed

• Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
  -- use "RunServicesAsSystem=y" to enable the old legacy behavior
  -- Note: sandboxed services with a system token are still sandboxed and restricted
  -- However not granting them a system token in the first place removes possible exploit vectors
  -- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
  
• Reworked dynamic IPC port handling
  
• Improved Resource Monitor status strings
  

Fixed

• fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
  
• fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
  
• fixed issue with ipc tracing
  
• fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
  -- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
  
• fixed hooking issues SBIE2303 with chrome, edge and possibly others
  
• fixed failed check for running processes when performing snapshot operations
  
• fixed some box option checkboxes were not properly initialized
  
• fixed unavailable options are not properly disabled when sandman is not connected to the driver
  
• fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
  
• added missing localization to generic list commands
  
• fixed issue with "iconcache_*" when runngin sandboxed explorer
  
• fixed more issues with groups
  

Download