FastGPT Python Sandbox Arbitrary File Write Vulnerability

A vulnerability in FastGPT's Python Sandbox component, in versions through 4.14.7, allows users to bypass restrictions intended to prevent file write operations. The sandbox's guardrails, which include static detection and seccomp policies, can be circumvented by remapping the standard output file descriptor to a writable one using the fcntl system call. This manipulation enables arbitrary file creation or overwriting within the sandbox container, exploiting the fact that the seccomp rule only allows writes to stdout or stderr.

Impact

Exploitation of this vulnerability leads to arbitrary file overwrite capabilities as the container's root user, compromising the integrity of the sandbox environment. This could involve overwriting essential system or runtime files within the container, potentially causing the sandbox service to become unstable or unusable.

Reproduction

The vulnerability can be reproduced by first confirming that direct file write operations are blocked by the sandbox's restrictions. After establishing this, the next step is to remap the standard output file descriptor to a writable one using the fcntl system call. Once the remapping is done, writing to stdout through sys.stdout.write() will bypass the seccomp restrictions, allowing files to be created or overwritten in any writable directory within the sandbox container.

Remediation

It is recommended to restrict the open and openat syscalls to read-only access, allowing only safe flags, and to block file descriptor duplication or remapping via fcntl. These measures would prevent the manipulation of stdout or stderr to achieve unauthorized file write operations.