ByteDance Deer-Flow Sandbox Escape Vulnerability in LocalSandboxProvider Allowing Host Command Execution

A sandbox escape vulnerability has been identified in ByteDance Deer-Flow versions prior to commit 92c7a20. This vulnerability resides in the handling of bash tools within the LocalSandboxProvider, allowing attackers to execute arbitrary commands on the host system. The issue arises by circumventing regex-based validation through the use of shell features like directory changes and relative paths. Exploitation of this vulnerability takes advantage of incomplete modeling of shell semantics, enabling access to read and modify files beyond the sandbox's boundaries. Ultimately, this leads to unauthorized command execution by invoking subprocesses with shell interpretation enabled.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system, bypassing the intended sandbox restrictions.

Reproduction

To reproduce this vulnerability, configure Deer-Flow to use the LocalSandboxProvider with the host bash execution option enabled. This can be done by setting 'allow_host_bash: true' in the sandbox configuration. Once this is set, the vulnerability can be exploited by sending a command that includes relative paths or directory traversal sequences, which will bypass the regex validation and execute arbitrary commands on the host.

Remediation

Update to ByteDance Deer-Flow version 2.0 or later, where this vulnerability has been addressed. In version 2.0, the LocalSandboxProvider no longer enables host bash execution by default, mitigating the risk of sandbox escapes.