T108 — NIGHTFALL Unified AI Sandbox & Container Escape Engine — L19 Sandbox Escape

SPECTER SANDBOX

Every Sandbox. Every Container. Every Escape.

SPECTER SANDBOX is the unified AI sandbox and container escape engine. Nine real CVEs across six platforms — runc, Docker Desktop, OpenClaw, CrewAI CodeInterpreter, Cohere Terrarium, and enclave-vm. SILENTBRIDGE delivers indirect prompt injection to trigger sandbox execution. CLAWCHAIN runs the OpenClaw 4-CVE chain. TERRARIUM breaks JS prototype isolation. ENCLAVE hits the CVSS 10.0 Error prototype chain. CREWAI weaponises the Python ctypes fallback. CONTAINER escapes to host root via runc /dev/null symlink or Docker Desktop Engine API. 252 tests. Zero failures.

252

Tests

CVEs

Subsystems

Gate Tiers

Documentation All NIGHTFALL Tools

Kill Chain

Eight subsystems. One complete sandbox escape pipeline — from indirect prompt injection to host root.

SURVEY

SILENTBRIDGE

CLAWCHAIN

TERRARIUM

ENCLAVE

CREWAI

CONTAINER

REPORT

SURVEY

Detects runc version (CVE-2025-31133 ≤1.2.7), Docker Desktop Engine API at 192.168.65.7:2375 (CVE-2025-9074), OpenClaw /api/version endpoint (CVE-2026-44112/113/115/118), CrewAI via pip, enclave-vm via npm, Cohere Terrarium via HTTP OPTIONS. Recommends optimal escape chain by CVSS score.

SILENTBRIDGE

Indirect prompt injection engine (SilentBridge, CVSS 9.8). CSS hidden text (font-size:0px) and zero-width Unicode character encoding. Six payload types: tool_call_exfil, system_prompt_extract, credential_harvest, sandbox_trigger, file_read, pivot_instruction. Delivers via HTTP POST to agent endpoint.

CLAWCHAIN

OpenClaw 4-CVE chain (Cyera Research, ~245K exposed instances). CVE-2026-44115 heredoc $() shell expansion. CVE-2026-44118 bearer token owner spoof via X-MCP-Sender-Is-Owner header. CVE-2026-44112/44113 TOCTOU race with 50-thread symlink swap targeting /workspace/sensitive to /etc/shadow.

TERRARIUM

CVE-2026-5752 CVSS 9.3 (CERT/CC VU#414811). Cohere Terrarium JS sandbox prototype chain escape: document.__proto__.constructor.constructor exploits the host function bridge. Five traversal paths. RCE confirmed by uid=/gid=/root in execSync output.

ENCLAVE

CVE-2026-22686 CVSS 10.0 (GHSA-7qm7-455j-5p63). enclave-vm Error prototype chain via __enclave_tool_call__ failure. Type error (null.nonExistentProperty) and range error (new Array(-1)) variants. Two legacy vm2 escape paths. Five RCE commands via natural-language agent API prompt.

CREWAI + CONTAINER

CREWAI: CVE-2026-2275 CVSS 9.6 (CERT/CC VU#221883). Python ctypes fallback via ctypes.CDLL/libc.system. Popen output capture variant. Env dump. Reverse shell. SSH persistence. CONTAINER: CVE-2025-31133 runc /dev/null symlink → core_pattern host write. CVE-2025-9074 Docker Desktop Engine API privileged container.

CVE Coverage

CVE-2025-31133 CVSS 7.8 CVE-2025-9074 CVSS 9.3 CVE-2026-44112 CVE-2026-44113 CVE-2026-44115 CVE-2026-44118 CVE-2026-5752 CVSS 9.3 CVE-2026-22686 CVSS 10.0 CVE-2026-2275 CVSS 9.6 SilentBridge CVSS 9.8

Subsystems

Subsystem	Gate	Function
SURVEY	OPEN	Detect runc, Docker Desktop API, OpenClaw, CrewAI, enclave-vm, Terrarium; recommend chain
SILENTBRIDGE	INJECT	CSS hidden / ZWC indirect prompt injection — 6 payload types, HTTP delivery
CLAWCHAIN	UNLEASHED	OpenClaw 4-CVE chain: heredoc exec bypass, bearer owner spoof, TOCTOU race
TERRARIUM	UNLEASHED	CVE-2026-5752 JS prototype chain — 5 traversal paths, RCE via execSync
ENCLAVE	UNLEASHED	CVE-2026-22686 Error prototype chain + vm2 escapes, 5 RCE commands
CREWAI	UNLEASHED	CVE-2026-2275 ctypes fallback RCE, popen capture, revshell, SSH persist
CONTAINER	UNLEASHED / DESTROY	CVE-2025-31133 runc core_pattern write; CVE-2025-9074 Docker Desktop Engine API
REPORT	OPEN	Ed25519-signed SBX-{hex12} reports, 4 WMD classes

Quick Start

# Install
pip install -e /path/to/red-specter-specter-sandbox

# Survey — detect vulnerable components
specter-sandbox survey --target http://target.local

# SILENTBRIDGE — deliver indirect prompt injection (INJECT gate)
specter-sandbox silentbridge \
  --target http://agent.local/api/run \
  --technique css_hidden

# CLAWCHAIN — OpenClaw 4-CVE chain (UNLEASHED gate)
specter-sandbox chain \
  --target http://openclaw.local \
  --token bearer123 \
  --chain openclaw \
  --gate unleashed \
  --roe-file roe.txt

# ENCLAVE — CVE-2026-22686 CVSS 10.0 prototype chain escape
specter-sandbox chain \
  --target http://enclave.local \
  --chain enclave \
  --gate unleashed \
  --roe-file roe.txt

# CONTAINER — Docker Desktop Engine API escape
specter-sandbox container \
  --docker-desktop \
  --gate unleashed \
  --roe-file roe.txt

# AUTO — survey then execute optimal chain
specter-sandbox chain \
  --target http://target.local \
  --chain auto \
  --gate unleashed \
  --roe-file roe.txt

# DESTROY — full chain + host compromise (DESTROY gate)
specter-sandbox chain \
  --target http://target.local \
  --chain auto \
  --gate destroy \
  --roe-file roe.txt \
  --confirm-host-compromise

# Generate signed SBX report
specter-sandbox report --output /tmp/sbx_report.json

Gate System

Gate	Flag	Capability
OPEN	--gate open	SURVEY, REPORT — read-only reconnaissance and reporting
INJECT	--gate inject	OPEN + SILENTBRIDGE — indirect prompt injection payload delivery
UNLEASHED	--gate unleashed --roe-file roe.txt	INJECT + CLAWCHAIN/TERRARIUM/ENCLAVE/CREWAI/CONTAINER — ROE: "sandbox exploitation authorised"
DESTROY	--gate destroy --roe-file roe.txt --confirm-host-compromise	UNLEASHED + host root escape — ROE must contain "host compromise authorised" AND --confirm-host-compromise flag required

Target Platforms

Platform	CVE	CVSS	Escape Method
runc ≤1.2.7	CVE-2025-31133	7.8	/dev/null symlink → core_pattern host binary write
Docker Desktop <4.44.3	CVE-2025-9074	9.3	Engine API at 192.168.65.7:2375 → privileged container
OpenClaw (Cyera)	CVE-2026-44112/113/115/118	—	Heredoc exec + bearer spoof + TOCTOU race
Cohere Terrarium	CVE-2026-5752	9.3	JS prototype chain document.__proto__.constructor.constructor
enclave-vm	CVE-2026-22686	10.0	Error prototype chain via __enclave_tool_call__ failure
CrewAI CodeInterpreter	CVE-2026-2275	9.6	Python ctypes fallback → libc.system RCE
Aurascape AuraLabs	SilentBridge	9.8	Indirect prompt injection — 3 variants

Research Basis

Research	Application
CERT/CC VU#414811 (2026)	Cohere Terrarium CVE-2026-5752 JS prototype chain escape
GHSA-7qm7-455j-5p63 (2026)	enclave-vm CVE-2026-22686 CVSS 10.0 Error prototype chain
CERT/CC VU#221883 (2026)	CrewAI CodeInterpreter CVE-2026-2275 ctypes fallback
Cyera Research (2026)	OpenClaw Claw Chain 4-CVE series (~245K exposed instances)
arXiv:2307.14539 (2023)	Indirect prompt injection via web content — SILENTBRIDGE basis
BeyondTrust / Unit 42 (2026)	Container escape chain design and Docker Engine API abuse

WMD Classes

ai_agent_sandbox_annihilation container_escape_to_host_root prompt_injection_full_chain_rce multi_platform_sandbox_escape

Report Format

All reports are signed with the operator's Ed25519 private key. Report IDs follow the format SBX-{12 hex chars}. Reports include all subsystem results, CVE coverage, WMD classification, blast radius assessment, and Ed25519 signature. Saved to ~/.specter_sandbox/reports/.