This exploit demonstrates a sandbox escape in jruby-sandbox <= 0.2.2 by importing Java classes to execute arbitrary commands outside the sandboxed environment. It leverages Java's ProcessBuilder to spawn a shell and execute the 'id' command.
Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target:jruby-sandbox <= 0.2.2
No auth needed
Prerequisites:Access to a system running jruby-sandbox <= 0.2.2