Vulnerability

Researchers Chain DLL Sideloading and an RPC Flaw to Gain Root Access Inside Claude Cowork’s Sandbox

dark6 4 July 2026
Read Time:3 Minute, 28 Second

A newly disclosed vulnerability chain in Anthropic’s Claude Cowork lets an attacker who already has local code execution on a Windows machine escalate privileges and run arbitrary commands as root inside the product’s isolated Linux sandbox. The research, published by security firm Armadin, walks through how several independently solid defenses can still be bypassed once they are combined and probed methodically.

A Sandbox Built From Several Layers of Defense

Claude Cowork is Anthropic’s product aimed at letting non-technical users run Claude Code to build tools and process data without needing a full development environment. On Windows, Cowork isolates that execution inside a Hyper-V-backed Ubuntu virtual machine that is invisible to standard Hyper-V tooling and only confirmable through low-level diagnostic commands run as Administrator.

Access to that VM is brokered by a Local System service called CoworkVMService, which listens on a named pipe and exposes a JSON-based RPC interface. Connections are validated using Authenticode signature checks that confirm the caller is signed by Anthropic, PBC. Inside the guest, Cowork layers on bubblewrap namespaces, per-session unprivileged users, a seccomp filter, and an egress proxy that only allows traffic to an approved list of domains.

Breaking In: DLL Sideloading Opens the Door

Armadin’s researchers first tried to spoof or clone the Authenticode signature check and failed against Windows’ own trust validation. They then pivoted to a classic technique, DLL sideloading (MITRE ATT&CK T1574.002), after noticing that Cowork’s claude.exe looks for USERENV.dll in its own application folder before falling back to the system copy.

By dropping a malicious DLL with that exact name and exporting the function the application expects, the researchers achieved code execution inside a legitimately signed Anthropic binary. That let them satisfy the named pipe’s identity check without ever breaking the signature verification itself.

From inside claude.exe, the team used an AI coding assistant to reverse-engineer the pipe’s RPC protocol by studying service logs, error strings, and the results of deliberately malformed requests. The protocol turned out to be a simple length-prefixed JSON format exposing methods for configuring, starting, and querying the sandbox VM, along with a method named spawn.

The Parameter That Undermined the Sandbox

Most of Cowork’s protections held up well under direct pressure. Attempts to create a user named “root” were rejected, the egress proxy blocked connections to non-allowlisted domains, and filesystem tricks like NTFS junctions were not followed into the guest VM.

The weak point turned out to be two parameters forwarded straight through to the VM’s internal daemon: isResume and allowedDomains. Normally, setting isResume to false forces the daemon to create a brand-new unprivileged user for each session. Setting it to true, however, skipped that existing-user validation entirely, letting the daemon execute commands as any username supplied in the request, including root, without further checks.

A single crafted request specifying an existing account name alongside isResume: true returned a fully functional root shell inside the bubblewrap sandbox, with the egress restrictions still nominally in place but the core privilege boundary gone.

What This Means for AI Agent Sandboxes

Armadin validated the complete attack chain against a recent build of Claude Desktop for Windows. The firm notes that Anthropic’s stated threat model for Cowork does not currently treat local code execution as an in-scope attacker capability, which is part of why this chain was possible in the first place.

The broader lesson for security teams evaluating AI coding agents and similar tools is that layered sandboxing is not the same as tested sandboxing. Chains involving signed-binary abuse, RPC fuzzing, and parameter-level trust assumptions can defeat sandboxes that look solid from the outside. Organizations deploying agentic AI tools should:

  • Treat “isolated” execution environments as still requiring endpoint detection on the host, not just controls inside the VM.
  • Monitor for anomalous DLL loads from application directories, a common precursor to sideloading attacks.
  • Ask vendors whether local code execution is included in their sandbox’s threat model, and if not, apply compensating controls.
  • Track vendor advisories closely, since fixes for RPC parameter validation issues like this one are typically shipped as silent client updates.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su Researchers Chain DLL Sideloading and an RPC Flaw to Gain Root Access Inside Claude Cowork’s Sandbox, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community