A number of essential security flaws have been disclosed within the Judge0 open-source on-line code execution system that might be exploited to acquire code execution on the goal system.
The three flaws, all essential in nature, permit an “adversary with enough entry to carry out a sandbox escape and acquire root permissions on the host machine,” Australian cybersecurity agency Tanto Safety mentioned in a reportreport printed at the moment.
Judge0 (pronounced “choose zero”) is described by its maintainers as a “strong, scalable, and open-source on-line code execution system” that can be utilized to construct purposes that require on-line code execution options comparable to candidate evaluation, e-learning, and on-line code editors and IDEs.
In response to its web site, the service is utilized by 23 clients like AlgoDaily, CodeChum, and PYnative, amongst others. The venture has been forked 412 instances on GitHub up to now.
The failings, found and reported by Daniel Cooper in March 2024, are listed beneath –
- CVE-2024-28185 (CVSS rating: 10.0) – The applying doesn’t account for symlinks positioned contained in the sandbox listing, which might be leveraged by an attacker to write down to arbitrary information and achieve code execution exterior of the sandbox.
- CVE-2024-28189 (CVSS rating: 10.0) – A patch bypass for CVE-2024-28185 that stems from the usage of the UNIX chown command on an untrusted file inside the sandbox. An attacker can abuse this by making a symbolic hyperlink (symlink) to a file exterior the sandbox, permitting the attacker to run chown on arbitrary information exterior of the sandbox.
- CVE-2024-29021 (CVSS rating: 9.1) – The default configuration of Judge0 leaves the service susceptible to a sandbox escape through Server-Facet Request Forgery (SSRF). This enables an attacker with enough entry to the Judge0 API to acquire unsandboxed code execution as root on the goal machine.
The issue is rooted in a Ruby script named “isolate_job.rb,” which is accountable for organising the sandbox, as nicely working the code and storing the outcomes of the execution.
Particularly, it entails making a symbolic hyperlink within the listing earlier than a bash script is ready as much as execute this system primarily based on the submission language such that it permits writing to an arbitrary file on the unsandboxed system.
A menace actor may leverage this flaw to overwrite scripts on the system and achieve code execution exterior of the sandbox and on the Docker container working the submission job.
What’s extra, the attacker may escalate their privileges exterior of the Docker container because of it being run utilizing the privileged flag as laid out in docker-compose.yml.
“This may permit the attacker to mount the Linux host filesystem and the attacker can then write information (for instance a malicious cron job) to realize entry to the system,” Judge0’s Herman Došilović mentioned.
“From this level the attacker can have full entry to the Judge0 system together with the database, inside networks, the Judge0 internet server, and some other purposes working on the Linux host.”
CVE-2024-29021, however, has to do with a configuration that allows speaking with Judge0’s PostgreSQL database obtainable inside the inner Docker community, thus enabling the adversary to weaponize the SSRF to connect with the database and alter the datatype of related columns and in the end achieve command injection.
Following accountable disclosure, the shortcomings have been addressed in model 1.13.1 launched on April 18, 2024. Customers of Judge0 are suggested to replace to the newest model to mitigate potential threats.
