Sandboxie Arbitrary Kernel Write Vulnerability in SbieDrv.sys API_GET_SECURE_PARAM

A vulnerability in Sandboxie versions 1.3.0 prior to 1.15.12 allows for arbitrary writes to kernel memory via the Api_GetSecureParam function. The issue arises because the function fails to properly validate incoming pointers, trusting that they are safe to write to. This flaw can be exploited by any process on the system, including those with low integrity, to manipulate kernel memory by directing the driver to dump registry contents into a specified kernel address. The vulnerability has been patched in version 1.15.12.

Impact

Exploitation of this vulnerability leads to arbitrary code execution in the kernel, which can have severe consequences for system stability and security.

Reproduction

The vulnerability can be reproduced by compiling a program that calls the Api_GetSecureParam function with a kernel pointer as the destination address. This can be done by leaking a kernel address through other means and then using it to receive dumped registry data, effectively writing controlled data into kernel memory.

Remediation

Users can update to Sandboxie version 1.15.12 or later, where this vulnerability has been fixed.