Multiple critical security flaws have been disclosed in the Judge0 open up-supply on the internet code execution method that could be exploited to attain code execution on the goal procedure.
The three flaws, all critical in character, permit an “adversary with enough access to perform a sandbox escape and get root permissions on the host device,” Australian cybersecurity firm Tanto Security claimed in a reportreport posted nowadays.
Judge0 (pronounced “judge zero”) is described by its maintainers as a “strong, scalable, and open up-source on the web code execution method” that can be made use of to construct purposes that need on line code execution characteristics these kinds of as applicant evaluation, e-learning, and on line code editors and IDEs.
In accordance to its web-site, the company is applied by 23 shoppers like AlgoDaily, CodeChum, and PYnative, among the others. The undertaking has been forked 412 moments on GitHub to date.
The flaws, found and described by Daniel Cooper in March 2024, are shown beneath –
- CVE-2024-28185 (CVSS rating: 10.) – The software does not account for symlinks positioned inside of the sandbox listing, which can be leveraged by an attacker to produce to arbitrary files and attain code execution outside of the sandbox.
- CVE-2024-28189 (CVSS score: 10.) – A patch bypass for CVE-2024-28185 that stems from the use of the UNIX chown command on an untrusted file within just the sandbox. An attacker can abuse this by producing a symbolic link (symlink) to a file outdoors the sandbox, enabling the attacker to run chown on arbitrary documents outside of the sandbox.
- CVE-2024-29021 (CVSS rating: 9.1) – The default configuration of Judge0 leaves the assistance vulnerable to a sandbox escape by means of Server-Side Request Forgery (SSRF). This lets an attacker with sufficient entry to the Judge0 API to receive unsandboxed code execution as root on the target device.
The challenge is rooted in a Ruby script named “isolate_task.rb,” which is responsible for setting up the sandbox, as effectively functioning the code and storing the outcomes of the execution.
Specifically, it involves creating a symbolic website link in the listing before a bash script is set up to execute the plan based on the submission language this sort of that it allows writing to an arbitrary file on the unsandboxed system.
A menace actor could leverage this flaw to overwrite scripts on the procedure and acquire code execution exterior of the sandbox and on the Docker container jogging the submission career.
What is actually much more, the attacker could escalate their privileges outside of the Docker container because of to it becoming run making use of the privileged flag as specified in docker-compose.yml.
“This will permit the attacker to mount the Linux host filesystem and the attacker can then write files (for illustration a malicious cron career) to obtain entry to the system,” Judge0’s Herman Došilović claimed.
“From this stage the attacker will have entire accessibility to the Judge0 procedure including the databases, interior networks, the Judge0 web server, and any other purposes jogging on the Linux host.”
CVE-2024-29021, on the other hand, has to do with a configuration that permits speaking with Judge0’s PostgreSQL database offered inside the inner Docker network, as a result enabling the adversary to weaponize the SSRF to connect to the database and improve the datatype of applicable columns and in the long run achieve command injection.
Adhering to liable disclosure, the shortcomings have been tackled in variation 1.13.1 produced on April 18, 2024. Buyers of Judge0 are encouraged to update to the hottest edition to mitigate potential threats.
Observed this short article appealing? Comply with us on Twitter and LinkedIn to go through a lot more exclusive content material we post.
Some parts of this article are sourced from:
thehackernews.com