The Judge0 open-source online code execution system has several severe security issues that could be exploited to execute code on the target system.

The three serious issues allow an “adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine,” Australian cybersecurity firm Tanto Security reported today.

Judge0 (pronounced “judge zero”) is a “robust, scalable, and open-source online code execution system” that may be used to construct candidate assessment, e-learning, and online code editors and IDEs.

You might be interested: The Role of a Cybersecurity Specialist

According to its website, AlgoDaily, CodeChum, and PYnative are among 23 customers. The project has 412 GitHub forks.

Daniel Cooper found and reported these issues in March 2024:

The application does not account for symlinks in the sandbox directory, which an attacker can use to write to arbitrary files and execute code outside the sandbox.

CVE-2024-28189 (CVSS score: 10.0) – A patch bypass for CVE-2024-28185 caused by UNIX chown on an untrusted sandbox file. A malicious attacker can perform chown on any file outside the sandbox by constructing a symbolic link (symlink).

Judge0’s default configuration makes it vulnerable to Server-Side Request Forgery (SSRF) sandbox escape. An attacker with Judge0 API access can execute unsandboxed code as root on the victim machine.

The issue is with “isolate_job.rb,” a Ruby script that sets up the sandbox runs the code, and stores the results.

It involves building a symbolic link in the directory before setting up a bash script to execute the program depending on the submission language to write to an arbitrary file on the unsandboxed system.

This issue could allow a threat actor to overwrite system scripts and execute code outside the sandbox and on the Docker container conducting the submission job.

The attacker might also escalate privileges outside the Docker container by running it with the privileged flag in docker-compose.yml.

“This will allow the attacker to mount the Linux host filesystem, and the attacker can then write files (for example, a malicious cron job) to gain access to the system,” Judge0’s Herman added.

“From this point, the attacker will have complete access to the Judge0 system, including the database, internal networks, the Judge0 web server, and any other applications running on the Linux host.”

CVE-2024-29021 involves a configuration that allows the adversary to weaponize the SSRF to connect to Judge0’s PostgreSQL database on the internal Docker network, change column datatypes, and inject commands.

Version 1.13.1, issued on April 18, 2024, fixes the issues after responsible disclosure. Judge0 users should update to avoid risks. 

SOURCE