Sandbox Escape Vulnerabilities in Judge0 Expose Programs to Full Takeover

Apr 29, 2024NewsroomSandbox / Vulnerability

A number of crucial safety flaws have been disclosed within the Judge0 open-source on-line code execution system that might be exploited to acquire code execution on the goal system.

The three flaws, all crucial in nature, permit an “adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine,” Australian cybersecurity agency Tanto Safety stated in a reportreport revealed in the present day.

Judge0 (pronounced “judge zero”) is described by its maintainers as a “robust, scalable, and open-source online code execution system” that can be utilized to construct functions that require on-line code execution options reminiscent of candidate evaluation, e-learning, and on-line code editors and IDEs.

In keeping with its web site, the service is utilized by 23 prospects like AlgoDaily, CodeChum, and PYnative, amongst others. The venture has been forked 412 occasions on GitHub up to now.

Cybersecurity

The failings, found and reported by Daniel Cooper in March 2024, are listed under –

  • CVE-2024-28185 (CVSS rating: 10.0) – The appliance doesn’t account for symlinks positioned contained in the sandbox listing, which might be leveraged by an attacker to jot down to arbitrary recordsdata and acquire code execution exterior of the sandbox.
  • CVE-2024-28189 (CVSS rating: 10.0) – A patch bypass for CVE-2024-28185 that stems from using the UNIX chown command on an untrusted file throughout the sandbox. An attacker can abuse this by making a symbolic hyperlink (symlink) to a file exterior the sandbox, permitting the attacker to run chown on arbitrary recordsdata exterior of the sandbox.
  • CVE-2024-29021 (CVSS rating: 9.1) – The default configuration of Judge0 leaves the service weak to a sandbox escape through Server-Aspect Request Forgery (SSRF). This permits an attacker with ample entry to the Judge0 API to acquire unsandboxed code execution as root on the goal machine.

The issue is rooted in a Ruby script named “isolate_job.rb,” which is chargeable for establishing the sandbox, as nicely operating the code and storing the outcomes of the execution.

Particularly, it entails making a symbolic hyperlink within the listing earlier than a bash script is ready as much as execute this system primarily based on the submission language such that it permits writing to an arbitrary file on the unsandboxed system.

A menace actor might leverage this flaw to overwrite scripts on the system and acquire code execution exterior of the sandbox and on the Docker container operating the submission job.

Cybersecurity

What’s extra, the attacker might escalate their privileges exterior of the Docker container on account of it being run utilizing the privileged flag as laid out in docker-compose.yml.

“This will allow the attacker to mount the Linux host filesystem and the attacker can then write files (for example a malicious cron job) to gain access to the system,” Judge0’s Herman Došilović stated.

“From this point the attacker will have complete access to the Judge0 system including the database, internal networks, the Judge0 web server, and any other applications running on the Linux host.”

CVE-2024-29021, however, has to do with a configuration that allows speaking with Judge0’s PostgreSQL database accessible inside the interior Docker community, thus enabling the adversary to weaponize the SSRF to connect with the database and alter the datatype of related columns and finally acquire command injection.

Following accountable disclosure, the shortcomings have been addressed in model 1.13.1 launched on April 18, 2024. Customers of Judge0 are suggested to replace to the newest model to mitigate potential threats.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.

Recent articles

Hackers Use Microsoft MSC Information to Deploy Obfuscated Backdoor in Pakistan Assaults

Dec 17, 2024Ravie LakshmananCyber Assault / Malware A brand new...

INTERPOL Pushes for

Dec 18, 2024Ravie LakshmananCyber Fraud / Social engineering INTERPOL is...

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

Dec 18, 2024Ravie LakshmananCyber Assault / Vulnerability Risk actors are...