MaxKB Remote Code Execution Vulnerability Due to Incomplete Sandbox Protection

A remote code execution vulnerability has been identified in MaxKB versions through 2.7.1. The issue arises from an incomplete sandbox protection mechanism that allows an authenticated user with tool execution privileges to escape a sandbox enforced by the LD_PRELOAD environment variable. This vulnerability enables unrestricted execution of Python code and access to network resources.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where MaxKB is running, with full access to network resources.

Reproduction

To reproduce this vulnerability, an authenticated user with tool execution privileges can use the Tool Debug API to execute untrusted Python code. The injected sandbox.so library is loaded via the LD_PRELOAD environment variable, which normally restricts network and file access by intercepting certain C library functions. However, the recent patch that allows the env command to be executed by the sandboxed user can be exploited. By using env with the -i flag, the attacker can clear all environment variables, including the LD_PRELOAD variable that loads the sandbox hooks. This allows the newly created Python process to run without any restrictions, bypassing the sandbox's file and network controls.

Remediation

Users can upgrade to MaxKB version 2.8.0, which addresses this vulnerability by removing the ability to use the env command in a way that bypasses the sandbox restrictions.