Processes within the sandbox are permitted to use NtQuerySystemInformation to read kernel addresses. #5126
-
|
Some attackers exploit privilege escalation vulnerabilities by using NtQuerySystemInformation to leak kernel addresses. Is there a way to prevent programs within Sandboxie from using NtQuerySystemInformation? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
You may want to open a full bug report about this, if not perhaps a security report |
Beta Was this translation helpful? Give feedback.
-
|
Newer OS versions already have a built-in mitigation that erases kernel addresses from these info class' output buffers. It might be nice to back-port it to older versions, but that's not a vulnerability by any means. |
Beta Was this translation helpful? Give feedback.
-
|
That's good to hear! |
Beta Was this translation helpful? Give feedback.
-
|
There is a feature request for it. #5133 |
Beta Was this translation helpful? Give feedback.
Newer OS versions already have a built-in mitigation that erases kernel addresses from these info class' output buffers. It might be nice to back-port it to older versions, but that's not a vulnerability by any means.