alf.io Sandbox Escape Vulnerability Allowing Authenticated Administrator Remote Code Execution

A sandbox escape vulnerability has been identified in alf.io, an open-source ticket reservation system, prior to version 2.0-M5-2606. This vulnerability allows authenticated administrators to execute arbitrary operating system commands on the server. The issue arises in the extension script engine, which is designed to run restricted JavaScript in a sandboxed Rhino environment. However, an unguarded injected Java object, 'returnClass', combined with an incomplete Abstract Syntax Tree (AST) blocklist, enables a full escape from the sandbox using Java reflection, bypassing validation errors. The vulnerability is triggered when an extension script is saved, with the malicious code executing during the next relevant event, such as 'INVOICE_GENERATION' on the first ticket purchase with invoicing enabled.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary operating system commands on the server, with the commands running under the user account of the alf.io process.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload a server-side JavaScript extension through the alf.io extension editor or by posting to the '/admin/api/extensions' endpoint. The uploaded script can include code that escapes the sandbox and executes operating system commands. Once the script is saved, it will run automatically during the next scheduled event, such as 'INVOICE_GENERATION', with the output of the executed command appearing in the user interface and the extension log.

Remediation

Users are advised to update to alf.io version 2.0-M5-2606 or later, where this vulnerability has been patched.