Security researchers have uncovered a significant vulnerability within Anthropic’s Claude Cowork, enabling attackers to gain elevated privileges and execute any command as root in the product’s Linux sandbox. This vulnerability compromises the multiple security layers Anthropic has integrated into the environment.
Understanding Claude Cowork and Its Security Framework
Designed for knowledge workers, Claude Cowork by Anthropic integrates Claude Code, enabling users without technical expertise to create tools and analyze data. On Windows, Claude Cowork operates within a Hyper-V-isolated Ubuntu virtual machine, protected by various security measures including Authenticode-gated RPC, bubblewrap namespaces, and a domain-restricted egress proxy.
Despite these defenses, research by Armadin demonstrated the possibility of executing arbitrary code as root within the VM, highlighting a critical flaw in the sandbox’s security framework.
Exploitation of the Sandbox Vulnerability
The vulnerability exploration focused on the Host Compute Service, which provisions an Ubuntu VM invisible to standard Hyper-V tools, and managed by the CoworkVMService. This service facilitates desktop connections via a named pipe hosting a JSON-based RPC server, authenticated through Authenticode signature checks.
Initial attempts to bypass these checks through signature manipulation failed, leading researchers to utilize DLL sideloading techniques. By manipulating the loading of USERENV.dll, Armadin achieved unauthorized code execution inside Claude Cowork, bypassing the identity verification process.
Impact and Implications of the Security Breach
Once gaining execution access, Armadin leveraged an AI coding agent to decode the RPC protocol, enabling further exploitation. By manipulating spawn parameters, researchers bypassed user checks and executed commands as root, highlighting critical flaws in user validation mechanisms.
This vulnerability, validated against Claude Desktop for Windows version 1.9255.2.0, underscores the potential risks associated with privilege escalation within sandboxed AI tools. It raises concerns about the effectiveness of current security models in preventing unauthorized access once initial execution is achieved.
While Anthropic’s threat model doesn’t prioritize local code execution as a significant risk, this discovery emphasizes the need for enhanced security measures in AI agent tools to protect against such vulnerabilities.
