AI Security

I discovered that AWS Bedrock AgentCore Code Interpreter's "Sandbox" mode leaks DNS queries, enabling a full DNS-tunneling C2 channel, reverse shell, and data exfiltration from a supposedly network-isolated sandbox. Disclosed via HackerOne.

Research and proof-of-concept showing how AWS Bedrock AgentCore Code Interpreter's "Sandbox" network mode leaks DNS queries, enabling a full DNS-tunneling C2 channel, reverse shell, and S3/DynamoDB data exfiltration out of a supposedly network-isolated sandbox.