MaxKB Tool Execution Result Spoofing Vulnerability

A vulnerability in MaxKB versions through 2.7.1 allows authenticated users to bypass sandbox result validation and spoof tool execution results. This is achieved by exploiting Python frame introspection to extract the wrapper's UUID from its bytecode constants. The attacker can then write a forged result directly to the standard output, bypassing the usual redirection. By calling sys.exit(0), the attacker terminates the wrapper execution before the legitimate output is printed, causing the MaxKB service to accept the spoofed response as the genuine tool result.

Impact

Exploitation of this vulnerability allows for the spoofing of tool execution results, which could lead to incorrect data being processed or trusted by the MaxKB service.

Reproduction

To reproduce this vulnerability, an authenticated user can execute custom Python tool code within MaxKB. The attack involves writing a payload that includes a forged JSON response, using the UUID extracted through Python introspection. This payload is then sent to standard output, bypassing the sandbox's output redirection. After writing the payload, the user calls sys.exit(0) to terminate the execution wrapper, preventing the genuine output from being printed. As a result, the MaxKB service receives and trusts the spoofed response.

Remediation

Users can upgrade to MaxKB version 2.8.0 or later, where this vulnerability has been fixed.