SbieDll.dll crashed (Access violation - code c0000005)

[psmetiak]

Describe the bug
Sandboxed program crashes after execution (Access violation - code c0000005)

To Reproduce
I can't reproduce this bug easily, but I have identified the place in source code where it happens.

Commit hash : 372747d

\core\dll\sh.c:782 (function SH32_DoRunAs())
if (CmdLine[0] == L'"') {

Problem is, if CmdLine is NULL (there is no check of NULL value)

SH32_DoRunAs() is in this case called from:
\core\dll\proc.c:1380
if (SH32_DoRunAs(lpCommandLine, lpCurrentDirectory,

lpCommandLine can be NULL (in this case it is NULL). probably it has to be called with lpApplicationName?

Expected behavior
No crash.

System details and installed software (please provide the following information):
Windows: 10.0.19042 Build 19042

[DavidXanatos]

what program runs into that crash?

[psmetiak]

Let admin.exe be file with manifest set to "'requireAdministrator" and project.exe is program that runs "admin.exe" with CreateProcess.
Normally (without sandboxing) after executing "project.exe" "admin.exe" is not executed (ERROR_ELEVATION_REQUIRED).
But when "project.exe" is executed sandboxed, it crashes.

Here is small project containing souce code for admin.exe and project.exe: https://drive.google.com/file/d/10voK0mIC1J8-hcTVxm-WD6yoQNkmYUrc/view?usp=sharing

[DavidXanatos]

hmm that is really strange on my systems i don't get the crash when running sandboxed

[psmetiak]

I have tried it on two computers (Version 10.0.17763 Build 17763, Version 10.0.19042 Build 19042) and on both it crashes.
If you try my project (I shared with you on google disk) and everything is ok, it will show msgbox "test".

[DavidXanatos]

I ran your project in and outside the sandbox and in booth cases I got the message box saying that no process was created.

whats your box configuration? Are you using FakeAdminRights or alike?

[DavidXanatos]

i can reproduce the issue now working on it

[DavidXanatos]

hmm... its very strange why the CreateProcess handler even tryes to do the elevation norma windows behavioure shoudl be that only shellexecuteex with runas wil show an elevation prompt,It may be best to actually remove that code portion from the create process impolementation

[DavidXanatos]

this explains: https://social.msdn.microsoft.com/Forums/sharepoint/en-US/d0941239-19a9-474a-8e28-0336c9dede8d/does-the-windows-8-program-compatibility-assistant-pca-no-longer-apply-the-elevatecreateprocess?forum=windowscompatibility
why the create process to SH32_DoRunAs path way was implemented by the old devs.
I'll have to think about what to do here best, aside of fixing the command line issue...

With a simple fix create process always throws the UAC prompt instead of failign with ERROR_ELEVATION_REQUIRED which may not be desired

I would add a sbie ini setting that enables this behavioure on a per orcess basis any by defualt disable it, what do you think?

[psmetiak]

Thank you for link, it's interesting.
IMHO I will try to emulate (and preserve) the "real" behaviour of windows OS based on its version. And this "little hack" in sbie ini sounds good.
And I'm sorry - I tried to do the best to describe this bug and the way how to reproduce it. Next time I will try to be more accurate.