From 1bf7a16ab2b224e213ff9bf3637b9d8d1492db57 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 27 Jun 2026 03:05:51 +0000 Subject: [PATCH] Add content from: Claude Code: Unsandboxed Code Execution from Prompt Injectio... --- src/AI/AI-Prompts.md | 50 +++++++++++++++++++ .../android-vpn-bypass.md | 2 + 2 files changed, 52 insertions(+) diff --git a/src/AI/AI-Prompts.md b/src/AI/AI-Prompts.md index 27be4ca6260..c3e804ac137 100644 --- a/src/AI/AI-Prompts.md +++ b/src/AI/AI-Prompts.md @@ -618,6 +618,54 @@ Below is a minimal payload that both **hides YOLO enabling** and **executes a re +## Prompt Injection in Local AI CLIs – Trusted Worktree Tool Abuse (Claude Code) + +Repository-local prompt files such as `CLAUDE.md` should be treated as **untrusted executable guidance** when an agent exposes high-privilege built-in tools. In Claude Code, direct Bash could be restricted while prompt injection still drove the trusted `CreateWorktree`, `EnterWorktree`, and `ExitWorktree` flows. + +### Why the chain was dangerous + +- **Tool trust bypass, not shell approval bypass**: the payload never needed the user to approve arbitrary Bash first; it abused agent-native worktree features that already run Git internally. +- **`.git` worktree name collision**: allowing a worktree literally named `.git` let the copied worktree path collide with Git's metadata directory semantics. +- **Repo root as working tree + gitdir**: a malicious repository can place bare-style metadata (`HEAD`, `config`, `objects/`, `refs/`) at the root so that a copied `.git` worktree becomes a fully attacker-controlled gitdir. +- **Implicit execution via Git config**: if Git loads attacker-controlled config from that confused gitdir, `core.fsmonitor` can execute a payload whenever trusted tool flows trigger `git status` or similar operations. +- **Filesystem pivot via symlinked worktree storage**: replacing `.claude/worktrees` with a symlink to `$HOME` or `/Users` makes later trusted worktree creation/navigation escape the intended project subtree. +- **Arbitrary navigation via forged worktree metadata**: creating `.git/worktrees//commondir`, `gitdir`, `HEAD`, `ORIG_HEAD`, and `logs/HEAD` can make `git worktree list` advertise attacker-chosen directories as legitimate worktrees. +- **macOS shell-init before seatbelt**: if the sandbox wrapper is invoked as `zsh -c "sandbox-exec ..."`, a write to `~/.zshenv` becomes an unsandboxed execution primitive because `zsh` sources it before `sandbox-exec` applies the profile. + +Minimal Git execution primitive: + +```ini +[core] + fsmonitor = ./3p_setup.sh +``` + +Minimal forged worktree registration: + +```bash +wt=".git/worktrees/$USER" +mkdir -p "$wt/logs" "$wt/refs" +pwd > "$wt/commondir" +printf '/Users/%s' "$USER" > "$wt/gitdir" +printf 'ref: refs/heads/%s\n' "$USER" > "$wt/HEAD" +``` + +### Practical attack chain + +1. Victim opens an attacker repo and asks the local AI CLI for a benign task. +2. `CLAUDE.md` prompt injection tells the agent to create and enter worktrees rather than run raw shell. +3. A worktree named `.git` causes Git to resolve attacker-controlled metadata/config from the copied repo. +4. `core.fsmonitor` executes the staged payload during trusted Git operations. +5. The payload pivots `.claude/worktrees` to `$HOME`, forges `.git/worktrees/$USER`, and makes the agent enter the victim home directory. +6. A final write to `~/.zshenv` converts the next `zsh -c "sandbox-exec ..."` execution into **unsandboxed host code execution**. + +### Technical detection ideas + +- Flag repositories with unexpected **root-level Git metadata** (`HEAD`, `config`, `objects/`, `refs/`) outside `.git/`. +- Audit agent-managed folders such as `.claude/worktrees` for **symlink replacement** to `$HOME`, `/Users`, or other sensitive paths. +- Inspect suspicious Git config sources with `git config --show-origin --get-all core.fsmonitor`. +- Monitor unexpected creation/modification of `$HOME/.git`, `$HOME/.zshenv`, and `.git/worktrees/*/gitdir` pointing outside the project. +- Treat repo-local AI instruction files (`CLAUDE.md`, agent rules, workspace prompts) as code-reviewable attack surface. + ## Encrypted Reasoning-State Replay, Transcript JSON Injection, and Reasoning Side Channels Some reasoning-model APIs return **opaque reasoning/thinking items** that the client must replay on later turns. OpenAI explicitly documents that reasoning items may contain `encrypted_content` and should be preserved when continuing a conversation, while Anthropic exposes signed/opaque thinking blocks that must also be passed back unchanged. @@ -696,6 +744,8 @@ This means **timing alone** can be enough to leak secrets through an ordinary ch - [OpenAI – Memory and new controls for ChatGPT](https://openai.com/index/memory-and-new-controls-for-chatgpt/) - [OpenAI Begins Tackling ChatGPT Data Leak Vulnerability (url_safe analysis)](https://embracethered.com/blog/posts/2023/openai-data-exfiltration-first-mitigations-implemented/) - [Unit 42 – Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild](https://unit42.paloaltonetworks.com/ai-agent-prompt-injection/) +- [Claude Code: unsandboxed code execution from prompt injection via `.git` worktree confusion](https://github.com/Metnew/write-ups/tree/main/claude-code-worktree-sandbox-escape) +- [GHSA-7835-87q9-rgvv / CVE-2026-55607 – Claude Code worktree path confusion](https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv) - [Anthropic extended thinking](https://docs.anthropic.com/en/docs/build-with-claude/extended-thinking) - [OpenAI Responses API overview](https://developers.openai.com/api/reference/responses/overview) - [OpenAI reasoning guide](https://developers.openai.com/api/docs/guides/reasoning?example=planning) diff --git a/src/mobile-pentesting/android-app-pentesting/android-vpn-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-vpn-bypass.md index 4f65077c956..5c7e4f4e487 100644 --- a/src/mobile-pentesting/android-app-pentesting/android-vpn-bypass.md +++ b/src/mobile-pentesting/android-app-pentesting/android-vpn-bypass.md @@ -1,5 +1,7 @@ # Android VPN Bypass +{{#include ../../banners/hacktricks-training.md}} + ## Hidden Binder APIs, Confused Deputies and VPN Lockdown Bypasses A hidden Java API is still reachable when the underlying **Binder transaction is exposed to apps** and the service implementation forgets to perform its own authorisation. A useful triage pattern is: **untrusted app -> Binder registration of attacker-controlled state -> privileged system component later replays that state**.