Summary
The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.
Details
When executing a submission, Judge0 writes a run_script to the sandbox directory as demonstrated in the following code snippet:
unless submission.is_project
# gsub is mandatory!
command_line_arguments = submission.command_line_arguments.to_s.strip.encode("UTF-8", invalid: :replace).gsub(/[$&;<>|`]/, "")
File.open(run_script, "w") { |f| f.write("#{submission.language.run_cmd} #{command_line_arguments}")}
endView this source on Github here.
The security issue is that an attacker can create a symbolic link (symlink) at the path run_script before this code is executed, resulting in the f.write writing to an arbitrary file on the unsandboxed system.
An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.
PoC
The PoC has been removed until appropriate time has been given for users to update their versions.
Impact
An attacker can use this vulnerability to gain unsandboxed code execution on the Docker container running the submission job.
Additionally, the attacker may then escalate their privileges outside of the Docker container due to the Docker container being run using the privileged flag as specified in docker-compose.yml. This will allow the attacker to mount the Linux host filesystem and the attacker can then write files (for example a malicious cron job) to gain access to the system.
From this point the attacker will have complete access to the Judge0 system including the database, internal networks, the Judge0 webserver, and any other applications running on the Linux host.
Timeline
The bug was reported to maintainers on 4/3/2024. A patch was deployed on 6/3/2024, and a second one on 7/3/2024.
stacksparrow4 Reporter
Summary
The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.
Details
When executing a submission, Judge0 writes a
run_scriptto the sandbox directory as demonstrated in the following code snippet:View this source on Github here.
The security issue is that an attacker can create a symbolic link (symlink) at the path
run_scriptbefore this code is executed, resulting in thef.writewriting to an arbitrary file on the unsandboxed system.An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.
PoC
The PoC has been removed until appropriate time has been given for users to update their versions.
Impact
An attacker can use this vulnerability to gain unsandboxed code execution on the Docker container running the submission job.
Additionally, the attacker may then escalate their privileges outside of the Docker container due to the Docker container being run using the
privilegedflag as specified indocker-compose.yml. This will allow the attacker to mount the Linux host filesystem and the attacker can then write files (for example a malicious cron job) to gain access to the system.From this point the attacker will have complete access to the Judge0 system including the database, internal networks, the Judge0 webserver, and any other applications running on the Linux host.
Timeline
The bug was reported to maintainers on 4/3/2024. A patch was deployed on 6/3/2024, and a second one on 7/3/2024.