How We Rooted Copilot
9 months ago
- #Vulnerability
- #Cybersecurity
- #Microsoft Copilot
- Microsoft updated Copilot Enterprise in April 2025 with a live Python sandbox running Jupyter Notebook.
- The sandbox can execute Linux commands as the 'ubuntu' user in a miniconda environment, with the user in the sudo group but no sudo binary present.
- The sandbox uses Python 3.12 and a newer kernel version compared to ChatGPT's sandbox.
- Main functionalities include running Jupyter Notebooks and a Tika server.
- The container has a link-local network interface and uses an OverlayFS filesystem from a host system path.
- Custom scripts are located in the /app directory, including goclientapp and httpproxy binaries.
- A vulnerability was found in the entrypoint.sh script where pgrep is executed without a full path, allowing potential privilege escalation.
- Exploiting the vulnerability grants root access but offers no significant advantage due to container restrictions.
- Microsoft fixed the vulnerability, classifying it as moderate severity with no bounty awarded.
- A talk at BlackHat USA 2025 will detail further access to Microsoft's Responsible AI Operations control panel.