Full Report
Copilot added a Python sandbox running Jupyter Notebook that can execute code. Within CoPilot, we can use %command to execute arbitrary commands in the environment. The author points out that it works sometimes and is like a child. After some time, though, it becomes more and more consistent in execution. I am guessing that it sees its past actions and is more likely to perform the actions as a result. They read files from the system using this technique. When trying to read binaries, there are many mistakes. So, they had to base64 encode the binaries. After getting all of the files, they can steal the server code for this application that they are interacting with. In the bash script that starts the server, it executes a set of commands every two seconds. Most of these are executed with lower permissions, but not all. When performing this loop, it calls pgrep with non-dropped privileges AND with an absolute path. By changing the PATH variables, it's possible to change the binary being used and execute it as root. Funnily enough, there's zero impact to escalating this to root. Still some good alpha on using CoPilot and a good privilege escalation.
Analysis Summary
# Vulnerability: Privilege Escalation via PATH Interception in Copilot Python Sandbox
## CVE Details
- **CVE ID**: Not explicitly assigned in report (Handled as a Microsoft Online Service vulnerability)
- **CVSS Score**: Moderate (Vendor assessment)
- **CWE**: CWE-427: Uncontrolled Search Path Element
## Affected Systems
- **Products**: Microsoft Copilot Enterprise
- **Versions**: Deployments prior to July 2025 containing the "Python sandbox" / Jupyter Notebook feature.
- **Configurations**: Environments where the `keepAliveJupyterSvc.sh` script (running as root) and users share writable directories in the `$PATH` (specifically `/app/miniconda/bin`).
## Vulnerability Description
The Copilot Enterprise Python sandbox runs a Jupyter Notebook environment within a container. While user-facing processes (like the execution API) run with dropped privileges as the `ubuntu` user, a maintenance script (`keepAliveJupyterSvc.sh`) runs as **root** in a "while true" loop to monitor services.
This script executes the `pgrep` command without an absolute path. Because the root user's `$PATH` included a directory writable by the low-privileged `ubuntu` user (`/app/miniconda/bin`) prioritized before the system binary path (`/usr/bin`), an attacker can place a malicious executable named `pgrep` in the writable directory. The system then executes the attacker's binary with root privileges during the next loop cycle (every two seconds).
## Exploitation
- **Status**: PoC available; Reported and fixed.
- **Complexity**: Medium (Requires prompt engineering to force Copilot to write specific files and bypass "reluctant" AI behavior).
- **Attack Vector**: Local (Within the container environment via the Copilot interface).
## Impact
- **Confidentiality**: High (Full read access to the container filesystem, including sensitive server code and configurations).
- **Integrity**: High (Ability to modify any file within the sandbox container).
- **Availability**: High (Ability to terminate system processes or the container itself).
- **Note**: The researcher noted that this did not lead to a container breakout; impact was limited to the isolated sandbox environment.
## Remediation
### Patches
- Microsoft silently patched the backend environment in July 2025. Users of Copilot Enterprise do not need to take action as this is a cloud-side fix.
### Workarounds
- No manual workarounds are required for end-users. For developers of similar environments, always use absolute paths for binaries in scripts running with elevated privileges (e.g., `/usr/bin/pgrep` instead of `pgrep`).
## Detection
- **Indicators of Compromise**:
- Presence of non-standard binaries in `/app/miniconda/bin/` or other writable `$PATH` directories.
- Unusual base64 encoding activity within the Jupyter environment logs.
- **Detection Methods**: Audit of container shell history and monitoring for privilege escalation patterns (STDOUT/STDERR redirection to sensitive areas).
## References
- [Eye Security Research Blog](https://research.eye.security/how-we-rooted-copilot/)
- [Microsoft Online Services Acknowledgments](https://portal.msrc.microsoft.com/en-us/security-guidance/researcher-acknowledgments-online-services)
- [BlackHat USA 2025: Consent & Compromise Briefing](https://www.blackhat.com/us-25/briefings/schedule/#consent--compromise-abusing-entra-oauth-for-fun-and-access-to-internal-microsoft-applications-45128)