Multiple critical security flaws have been disclosed in the Judge0 open-source online code execution system that could be exploited to obtain code execution on the target system.
The three flaws, all critical in nature, allow an “adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine,” Australian cybersecurity firm Tanto Security said in a reportreport published today.
Judge0 (pronounced “judge zero”) is described by its maintainers as a “robust, scalable, and open-source online code execution system” that can be used to build applications that require online code execution features such as candidate assessment, e-learning, and online code editors and IDEs.
According to its website, the service is used by 23 customers like AlgoDaily, CodeChum, and PYnative, among others. The project has been forked 412 times on GitHub to date.
The flaws, discovered and reported by Daniel Cooper in March 2024, are listed below –
The problem is rooted in a Ruby script named “isolate_job.rb,” which is responsible for setting up the sandbox, as well running the code and storing the results of the execution.
Specifically, it entails creating a symbolic link in the directory before a bash script is set up to execute the program based on the submission language such that it allows writing to an arbitrary file on the unsandboxed system.
A threat actor could leverage this flaw to overwrite scripts on the system and gain code execution outside of the sandbox and on the Docker container running the submission job.
What’s more, the attacker could escalate their privileges outside of the Docker container due to it being run using the privileged flag as specified in docker-compose.yml.
“This will allow the attacker to mount the Linux host filesystem and the attacker can then write files (for example a malicious cron job) to gain access to the system,” Judge0’s Herman Došilović said.
“From this point the attacker will have complete access to the Judge0 system including the database, internal networks, the Judge0 web server, and any other applications running on the Linux host.”
CVE-2024-29021, on the other hand, has to do with a configuration that permits communicating with Judge0’s PostgreSQL database available inside the internal Docker network, thus enabling the adversary to weaponize the SSRF to connect to the database and change the datatype of relevant columns and ultimately gain command injection.
Following responsible disclosure, the shortcomings have been addressed in version 1.13.1 released on April 18, 2024. Users of Judge0 are advised to update to the latest version to mitigate potential threats.