forked from cadey/xesite
OVE-20190623-0001 (#58)
* OVE-20190623-0001 * Update OVE-20190623-0001.md * French got into my head :D
This commit is contained in:
parent
0986b1d5a6
commit
b0644a82c5
|
@ -0,0 +1,95 @@
|
|||
---
|
||||
title: "OVE-20190623-0001"
|
||||
date: 2019-06-24
|
||||
---
|
||||
|
||||
# OVE-20190623-0001
|
||||
|
||||
## Within Security Advisory
|
||||
|
||||
Root-level Remote Command Injection in the [V](https://vlang.io) playground (OVE-20190623-0001)
|
||||
|
||||
> The real CVEs are the friends we made along the way
|
||||
|
||||
awilfox
|
||||
|
||||
## Summary
|
||||
|
||||
While playing with the [V playground](https://vlang.io/play), a root-level
|
||||
command injection vulnerability was discovered. This allows for an
|
||||
unauthenticated attacker to execute arbitrary root-level commands on the
|
||||
playground server.
|
||||
|
||||
This vulnerability is instantly exploitable by a remote, unauthenticated
|
||||
attacker in the default configuration. To remotely exploit this vulnerability,
|
||||
an attacker must send specially created HTTP requests to the playground server
|
||||
containing a malformed function call.
|
||||
|
||||
This playground server is not open sourced or versioned yet, but this
|
||||
vulnerability has lead to the compromising of the box as reported by the lead
|
||||
developer of V.
|
||||
|
||||
## Remote Exploitation
|
||||
|
||||
V allows for calling of C functions through a few means:
|
||||
|
||||
- starting a line with a `#` character
|
||||
- calling a C function with the `C.` namespace
|
||||
|
||||
The V playground insufficiently strips the latter form of the function call,
|
||||
allowing an invocation such as this:
|
||||
|
||||
```
|
||||
fn main() {
|
||||
C .system(' id')
|
||||
}
|
||||
```
|
||||
|
||||
or even this:
|
||||
|
||||
```
|
||||
fn main() {
|
||||
C
|
||||
.system(' id')
|
||||
}
|
||||
```
|
||||
|
||||
As the server is running as the root user, successful exploitation can result
|
||||
in an unauthenticated user totally compromising the system, as happened
|
||||
earlier yesterday on June 23, 2019. As the source code and configuration of
|
||||
the V playground server is unknown, it is not possible to track usage of these
|
||||
commands.
|
||||
|
||||
The playground did attempt to block these attacks; but it appeared to do pattern
|
||||
matching on `#` or `C.`, allowing the alternative methods mentioned above.
|
||||
|
||||
## Security Suggestions
|
||||
|
||||
Do not run the playground server as a root user outside a container or other
|
||||
form of isolation. The fact that this server runs user-submitted code makes
|
||||
this kind of thing very difficult to isolate and/or secure properly. The use
|
||||
of an explicit sandboxing environment like [gVisor](https://gvisor.dev) or
|
||||
[Docker](https://www.docker.com) is suggested. The use of more elaborate
|
||||
sandboxing mechanisms like [CloudABI](https://cloudabi.org) or
|
||||
[WebAssembly](https://webassembly.org) may be practical for future
|
||||
developments, but is admittedly out of scope for this initial class of issues.
|
||||
|
||||
## GReeTZ
|
||||
|
||||
Special thanks to the people of [#ponydev](https://pony.dev) for helping to
|
||||
discover and toy with this bug.
|
||||
|
||||
## Timeline
|
||||
|
||||
All times are Eastern Standard Time.
|
||||
|
||||
### June 23, 2019
|
||||
|
||||
- 4:56 PM - The first exploit was found and the contents of /etc/passwd were dumped, other variants of this attack were proposed and tested in the meantime
|
||||
- 5:00 PM - The V playground server stopped replying to HTTP and ICMP messages
|
||||
- 6:26 PM - The V creator was notified of this issue
|
||||
- 7:02 PM - The V creator acknowledged the issue and admitted the machine was compromised
|
||||
|
||||
### June 24, 2019
|
||||
|
||||
- 12:00 AM - This security bulletin was released
|
Loading…
Reference in New Issue