forked from cadey/xesite
96 lines
3.0 KiB
Markdown
96 lines
3.0 KiB
Markdown
---
|
|
title: "OVE-20190623-0001"
|
|
date: 2019-06-24
|
|
---
|
|
|
|
# OVE-20190623-0001
|
|
|
|
## Within Security Advisory
|
|
|
|
Root-level Remote Command Injection in the [V](https://vlang.io) playground (OVE-20190623-0001)
|
|
|
|
> The real CVEs are the friends we made along the way
|
|
|
|
awilfox
|
|
|
|
## Summary
|
|
|
|
While playing with the [V playground](https://vlang.io/play), a root-level
|
|
command injection vulnerability was discovered. This allows for an
|
|
unauthenticated attacker to execute arbitrary root-level commands on the
|
|
playground server.
|
|
|
|
This vulnerability is instantly exploitable by a remote, unauthenticated
|
|
attacker in the default configuration. To remotely exploit this vulnerability,
|
|
an attacker must send specially created HTTP requests to the playground server
|
|
containing a malformed function call.
|
|
|
|
This playground server is not open sourced or versioned yet, but this
|
|
vulnerability has lead to the compromising of the box as reported by the lead
|
|
developer of V.
|
|
|
|
## Remote Exploitation
|
|
|
|
V allows for calling of C functions through a few means:
|
|
|
|
- starting a line with a `#` character
|
|
- calling a C function with the `C.` namespace
|
|
|
|
The V playground insufficiently strips the latter form of the function call,
|
|
allowing an invocation such as this:
|
|
|
|
```
|
|
fn main() {
|
|
C .system(' id')
|
|
}
|
|
```
|
|
|
|
or even this:
|
|
|
|
```
|
|
fn main() {
|
|
C
|
|
.system(' id')
|
|
}
|
|
```
|
|
|
|
As the server is running as the root user, successful exploitation can result
|
|
in an unauthenticated user totally compromising the system, as happened
|
|
earlier yesterday on June 23, 2019. As the source code and configuration of
|
|
the V playground server is unknown, it is not possible to track usage of these
|
|
commands.
|
|
|
|
The playground did attempt to block these attacks; but it appeared to do pattern
|
|
matching on `#` or `C.`, allowing the alternative methods mentioned above.
|
|
|
|
## Security Suggestions
|
|
|
|
Do not run the playground server as a root user outside a container or other
|
|
form of isolation. The fact that this server runs user-submitted code makes
|
|
this kind of thing very difficult to isolate and/or secure properly. The use
|
|
of an explicit sandboxing environment like [gVisor](https://gvisor.dev) or
|
|
[Docker](https://www.docker.com) is suggested. The use of more elaborate
|
|
sandboxing mechanisms like [CloudABI](https://cloudabi.org) or
|
|
[WebAssembly](https://webassembly.org) may be practical for future
|
|
developments, but is admittedly out of scope for this initial class of issues.
|
|
|
|
## GReeTZ
|
|
|
|
Special thanks to the people of [#ponydev](https://pony.dev) for helping to
|
|
discover and toy with this bug.
|
|
|
|
## Timeline
|
|
|
|
All times are Eastern Standard Time.
|
|
|
|
### June 23, 2019
|
|
|
|
- 4:56 PM - The first exploit was found and the contents of /etc/passwd were dumped, other variants of this attack were proposed and tested in the meantime
|
|
- 5:00 PM - The V playground server stopped replying to HTTP and ICMP messages
|
|
- 6:26 PM - The V creator was notified of this issue
|
|
- 7:02 PM - The V creator acknowledged the issue and admitted the machine was compromised
|
|
|
|
### June 24, 2019
|
|
|
|
- 12:00 AM - This security bulletin was released
|