MaxKB Sandbox Bypass Vulnerability Allowing Access to Internal Services
Vulnerability
A vulnerability in MaxKB versions through 2.7.1 allows authenticated users with tool-editing permissions to bypass sandbox network protections and access internal services blocked by the sandbox's banned hosts configuration. The issue arises because the sandbox uses LD_PRELOAD to hook the connect() function and block connections to banned IPs. However, on Linux, the sendto() function with the MSG_FASTOPEN flag can establish TCP connections directly through the kernel, bypassing the hooked connect() function and the associated IP validation. This vulnerability takes advantage of the fact that sendto() is not intercepted by the sandbox's network hooks, allowing unauthorized access to restricted internal services.
Impact
Exploitation of this vulnerability can lead to unauthorized access to internal services that are meant to be blocked by the sandbox's configuration.
Remediation
Users can upgrade to MaxKB version 2.8.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.