HackTricks-wiki · carlospolop · Jul 25, 2025
diff --git a/...ity/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/...ity/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
@@ -123,5 +123,6 @@ The rule triggers on any write attempt to `*/release_agent` from a process insid
 
 * [Unit 42 – CVE-2022-0492: container escape via cgroups](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) – detailed analysis and mitigation script.
 * [Sysdig Falco rule & detection guide](https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/)
+* [Cisco ISE privileged container escape via cgroup user-mode helpers (CVE-2025-20281)](https://www.thezdi.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability)
 
 {{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
@@ -135,8 +135,47 @@ powershell C:**2\n??e*d.*? # notepad
 https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt
 {{#endref}}
 
+### Java Runtime.exec Tokenization & ${IFS} Bypass
+
+When the vulnerable code ultimately calls `java.lang.Runtime.exec(String cmd)` **with a single string argument**, the JRE **tokenises** that string before it is passed to `/bin/sh`.  The tokeniser (`StringTokenizer` in Java 8) simply splits on whitespace characters (`\t`, `\n`, `\r`, `\f`, and the regular space).  Unlike a POSIX shell, **quotes (" or ') and back-ticks are *ignored*** by the tokeniser, so an attacker cannot rely on them to keep a payload together.
+
+As a consequence, classic payloads such as:
+
+```java
+"x; touch /flag"
+```
+
+become the following argument array once Java finishes splitting:
+
+```
+[x;, touch, /flag]
+```
+
+Only the very first element ( `x;` ) reaches the invoked script, breaking the injection attempt.
+
+#### Bypass – replace the spaces with ${IFS}
+
+When the attacker controls a **bash** context (either directly or through a helper script), the trick is to replace every space with the shell’s *Internal Field Separator* variable `IFS`:
+
+```bash
+id${IFS}-a
+```
+
+* `Runtime.exec` sees no literal spaces → **no tokenisation takes place**, so the whole string is forwarded as **one single argument**.
+* Inside the `/bin/sh` that finally interprets the parameter, `${IFS}` expands back to a regular space, giving **`id -a`**.
+
+This technique was successfully used against Cisco ISE’s `enableStrongSwanTunnel` API (CVE-2025-20281) to achieve unauthenticated RCE even though the vulnerable Java code passed user input to a root shell script via `sudo`.
+
+> Tip: When your final payload cannot contain `${IFS}` literally (e.g. it will later be copied into `release_agent` or another restricted context) you can **base64-encode** the whole command and decode it on the fly:
+>
+> ```bash
+> echo${IFS}BASE64_PAYLOAD${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash
+> ```
+
 ## References
 
+- [CVE-2025-20281 – Cisco ISE `enableStrongSwanTunnel` unauthenticated RCE (ZDI blog)](https://www.thezdi.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability)
+
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)