A number of crucial safety flaws have been disclosed within the Judge0 open-source on-line code execution system that might be exploited to acquire code execution on the goal system.
The three flaws, all crucial in nature, permit an “adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine,” Australian cybersecurity agency Tanto Safety stated in a reportreport revealed in the present day.
Judge0 (pronounced “judge zero”) is described by its maintainers as a “robust, scalable, and open-source online code execution system” that can be utilized to construct functions that require on-line code execution options reminiscent of candidate evaluation, e-learning, and on-line code editors and IDEs.
In keeping with its web site, the service is utilized by 23 prospects like AlgoDaily, CodeChum, and PYnative, amongst others. The venture has been forked 412 occasions on GitHub up to now.
The failings, found and reported by Daniel Cooper in March 2024, are listed under –
- CVE-2024-28185 (CVSS rating: 10.0) – The appliance doesn’t account for symlinks positioned contained in the sandbox listing, which might be leveraged by an attacker to jot down to arbitrary recordsdata and acquire code execution exterior of the sandbox.
- CVE-2024-28189 (CVSS rating: 10.0) – A patch bypass for CVE-2024-28185 that stems from using the UNIX chown command on an untrusted file throughout the sandbox. An attacker can abuse this by making a symbolic hyperlink (symlink) to a file exterior the sandbox, permitting the attacker to run chown on arbitrary recordsdata exterior of the sandbox.
- CVE-2024-29021 (CVSS rating: 9.1) – The default configuration of Judge0 leaves the service weak to a sandbox escape through Server-Aspect Request Forgery (SSRF). This permits an attacker with ample entry to the Judge0 API to acquire unsandboxed code execution as root on the goal machine.
The issue is rooted in a Ruby script named “isolate_job.rb,” which is chargeable for establishing the sandbox, as nicely operating the code and storing the outcomes of the execution.
Particularly, it entails making a symbolic hyperlink within the listing earlier than a bash script is ready as much as execute this system primarily based on the submission language such that it permits writing to an arbitrary file on the unsandboxed system.
A menace actor might leverage this flaw to overwrite scripts on the system and acquire code execution exterior of the sandbox and on the Docker container operating the submission job.
What’s extra, the attacker might escalate their privileges exterior of the Docker container on account of it being run utilizing the privileged flag as laid out in docker-compose.yml.
“This will allow the attacker to mount the Linux host filesystem and the attacker can then write files (for example a malicious cron job) to gain access to the system,” Judge0’s Herman Došilović stated.
“From this point the attacker will have complete access to the Judge0 system including the database, internal networks, the Judge0 web server, and any other applications running on the Linux host.”
CVE-2024-29021, however, has to do with a configuration that allows speaking with Judge0’s PostgreSQL database accessible inside the interior Docker community, thus enabling the adversary to weaponize the SSRF to connect with the database and alter the datatype of related columns and finally acquire command injection.
Following accountable disclosure, the shortcomings have been addressed in model 1.13.1 launched on April 18, 2024. Customers of Judge0 are suggested to replace to the newest model to mitigate potential threats.
