Tanto Security, an esteemed Australian cybersecurity firm, has unveiled a series of critical security loopholes within the Judge0 open-source online code execution platform. These vulnerabilities have the potential to be exploited to achieve code execution on the targeted system.

All three of these flaws, deemed critical, offer a path for an attacker with sufficient privileges to execute a sandbox escape and gain root permissions on the host machine, as detailed in a recently published report by Tanto Security.

Judge0, often referred to as "judge zero," is described by its maintainers as a resilient, scalable, and open-source online code execution system. It finds utility in constructing applications necessitating online code execution functionalities, such as candidate evaluation, e-learning, and online code editors and Integrated Development Environments (IDEs).

The flaws, brought to light and reported by Daniel Cooper in March 2024, are outlined below:

CVE-2024-28185 (CVSS score: 10.0) - This flaw arises from the application's failure to consider symlinks placed within the sandbox directory, enabling attackers to write to arbitrary files and achieve code execution beyond the sandbox.
CVE-2024-28189 (CVSS score: 10.0) - A workaround for CVE-2024-28185, this vulnerability stems from utilizing the UNIX chown command on an untrusted file within the sandbox. Attackers can exploit this by crafting a symbolic link (symlink) to a file outside the sandbox, facilitating chown execution on arbitrary files beyond the sandbox.
CVE-2024-29021 (CVSS score: 9.1) - The default setup of Judge0 exposes the service to a sandbox escape via Server-Side Request Forgery (SSRF), granting attackers with sufficient access to the Judge0 API the ability to execute unsandboxed code as root on the target machine.
These vulnerabilities trace back to a Ruby script named "isolate_job.rb," which oversees sandbox setup, code execution, and result storage.

Specifically, the exploit involves creating a symbolic link in the directory before initiating a bash script to execute the program based on the submission language, thereby allowing writing to an arbitrary file on the unsandboxed system.

Exploiting this flaw could empower threat actors to overwrite scripts on the system, leading to code execution outside of the sandbox and within the Docker container handling the submission job.

Furthermore, due to the Docker container being executed with the privileged flag, attackers could elevate their privileges beyond the container, as stated in docker-compose.yml.

"This will allow the attacker to mount the Linux host filesystem and the attacker can then write files (for example a malicious cron job) to gain access to the system," remarked Herman Došilović of Judge0.

"From this point the attacker will have complete access to the Judge0 system including the database, internal networks, the Judge0 web server, and any other applications running on the Linux host."

CVE-2024-29021, on the other hand, concerns a configuration that permits interaction with Judge0's PostgreSQL database within the internal Docker network, enabling attackers to utilize SSRF to connect to the database, modify column data types, and ultimately execute commands.

In response to responsible disclosure, these vulnerabilities have been rectified in version 1.13.1 released on April 18, 2024. Users of Judge0 are strongly urged to update to the latest version to mitigate potential risks.

DragonX Offensive Team

At DragonX Offensive Securities, we are dedicated to safeguarding businesses and organizations against the ever-evolving landscape of cyber threats. With a team of seasoned experts and cutting-edge technology, we provide comprehensive cybersecurity solutions tailored to the unique needs and challenges of our clients.

DISCLAIMER :

The information provided is for general informational purposes only and should not be construed as legal advice. While we strive for accuracy, Dragon X makes no warranties or representations about the completeness, reliability, or suitability of the information presented.