Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

Multiple critical security flaws have been disclosed in the Judge0 open up-resource on the web code execution process that could be exploited to get code execution on the target process.

The three flaws, all critical in character, allow an “adversary with enough entry to accomplish a sandbox escape and get root permissions on the host machine,” Australian cybersecurity organization Tanto Security said in a reportreport printed right now.

Judge0 (pronounced “decide zero”) is described by its maintainers as a “sturdy, scalable, and open-supply on the net code execution system” that can be utilised to make applications that require on the internet code execution options this sort of as candidate evaluation, e-discovering, and on the net code editors and IDEs.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

According to its web page, the service is utilized by 23 clients like AlgoDaily, CodeChum, and PYnative, among others. The venture has been forked 412 instances on GitHub to day.

The flaws, identified and reported by Daniel Cooper in March 2024, are outlined under –

• CVE-2024-28185 (CVSS score: 10.) – The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to produce to arbitrary files and achieve code execution outside of the sandbox.

• CVE-2024-28189 (CVSS rating: 10.) – A patch bypass for CVE-2024-28185 that stems from the use of the UNIX chown command on an untrusted file inside the sandbox. An attacker can abuse this by building a symbolic connection (symlink) to a file outside the sandbox, allowing for the attacker to run chown on arbitrary documents outdoors of the sandbox.

• CVE-2024-29021 (CVSS score: 9.1) – The default configuration of Judge0 leaves the provider vulnerable to a sandbox escape by means of Server-Aspect Ask for Forgery (SSRF). This allows an attacker with ample obtain to the Judge0 API to acquire unsandboxed code execution as root on the target machine.

The trouble is rooted in a Ruby script named “isolate_occupation.rb,” which is responsible for setting up the sandbox, as perfectly operating the code and storing the effects of the execution.

Precisely, it involves generating a symbolic backlink in the directory before a bash script is set up to execute the method based mostly on the submission language these kinds of that it lets writing to an arbitrary file on the unsandboxed system.

A risk actor could leverage this flaw to overwrite scripts on the system and attain code execution outdoors of the sandbox and on the Docker container jogging the submission position.

What’s additional, the attacker could escalate their privileges outdoors of the Docker container due to it getting run using the privileged flag as specified in docker-compose.yml.

“This will let the attacker to mount the Linux host filesystem and the attacker can then generate data files (for case in point a destructive cron work) to attain access to the procedure,” Judge0’s Herman Došilović said.

“From this place the attacker will have complete accessibility to the Judge0 process including the databases, inner networks, the Judge0 web server, and any other apps jogging on the Linux host.”

CVE-2024-29021, on the other hand, has to do with a configuration that permits speaking with Judge0’s PostgreSQL database readily available within the inside Docker network, hence enabling the adversary to weaponize the SSRF to hook up to the database and modify the datatype of applicable columns and eventually achieve command injection.

Next accountable disclosure, the shortcomings have been tackled in model 1.13.1 released on April 18, 2024. Consumers of Judge0 are encouraged to update to the most up-to-date version to mitigate likely threats.

Found this article appealing? Observe us on Twitter  and LinkedIn to read through extra unique content material we post.