From b0644a82c5f99884213ed3ea2d438e0f0c605f04 Mon Sep 17 00:00:00 2001 From: Christine Dodrill Date: Mon, 24 Jun 2019 00:00:01 -0400 Subject: [PATCH] OVE-20190623-0001 (#58) * OVE-20190623-0001 * Update OVE-20190623-0001.md * French got into my head :D --- blog/OVE-20190623-0001.md | 95 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 blog/OVE-20190623-0001.md diff --git a/blog/OVE-20190623-0001.md b/blog/OVE-20190623-0001.md new file mode 100644 index 0000000..2817f92 --- /dev/null +++ b/blog/OVE-20190623-0001.md @@ -0,0 +1,95 @@ +--- +title: "OVE-20190623-0001" +date: 2019-06-24 +--- + +# OVE-20190623-0001 + +## Within Security Advisory + +Root-level Remote Command Injection in the [V](https://vlang.io) playground (OVE-20190623-0001) + +> The real CVEs are the friends we made along the way + +awilfox + +## Summary + +While playing with the [V playground](https://vlang.io/play), a root-level +command injection vulnerability was discovered. This allows for an +unauthenticated attacker to execute arbitrary root-level commands on the +playground server. + +This vulnerability is instantly exploitable by a remote, unauthenticated +attacker in the default configuration. To remotely exploit this vulnerability, +an attacker must send specially created HTTP requests to the playground server +containing a malformed function call. + +This playground server is not open sourced or versioned yet, but this +vulnerability has lead to the compromising of the box as reported by the lead +developer of V. + +## Remote Exploitation + +V allows for calling of C functions through a few means: + +- starting a line with a `#` character +- calling a C function with the `C.` namespace + +The V playground insufficiently strips the latter form of the function call, +allowing an invocation such as this: + +``` +fn main() { + C .system(' id') +} +``` + +or even this: + +``` +fn main() { + C + .system(' id') +} +``` + +As the server is running as the root user, successful exploitation can result +in an unauthenticated user totally compromising the system, as happened +earlier yesterday on June 23, 2019. As the source code and configuration of +the V playground server is unknown, it is not possible to track usage of these +commands. + +The playground did attempt to block these attacks; but it appeared to do pattern +matching on `#` or `C.`, allowing the alternative methods mentioned above. + +## Security Suggestions + +Do not run the playground server as a root user outside a container or other +form of isolation. The fact that this server runs user-submitted code makes +this kind of thing very difficult to isolate and/or secure properly. The use +of an explicit sandboxing environment like [gVisor](https://gvisor.dev) or +[Docker](https://www.docker.com) is suggested. The use of more elaborate +sandboxing mechanisms like [CloudABI](https://cloudabi.org) or +[WebAssembly](https://webassembly.org) may be practical for future +developments, but is admittedly out of scope for this initial class of issues. + +## GReeTZ + +Special thanks to the people of [#ponydev](https://pony.dev) for helping to +discover and toy with this bug. + +## Timeline + +All times are Eastern Standard Time. + +### June 23, 2019 + +- 4:56 PM - The first exploit was found and the contents of /etc/passwd were dumped, other variants of this attack were proposed and tested in the meantime +- 5:00 PM - The V playground server stopped replying to HTTP and ICMP messages +- 6:26 PM - The V creator was notified of this issue +- 7:02 PM - The V creator acknowledged the issue and admitted the machine was compromised + +### June 24, 2019 + +- 12:00 AM - This security bulletin was released