Root-level Remote Command Injection in the [V](https://vlang.io) playground (OVE-20190623-0001)
> The real CVEs are the friends we made along the way
awilfox
## Summary
While playing with the [V playground](https://vlang.io/play), a root-level
command injection vulnerability was discovered. This allows for an
unauthenticated attacker to execute arbitrary root-level commands on the
playground server.
This vulnerability is instantly exploitable by a remote, unauthenticated
attacker in the default configuration. To remotely exploit this vulnerability,
an attacker must send specially created HTTP requests to the playground server
containing a malformed function call.
This playground server is not open sourced or versioned yet, but this
vulnerability has lead to the compromising of the box as reported by the lead
developer of V.
## Remote Exploitation
V allows for calling of C functions through a few means:
- starting a line with a `#` character
- calling a C function with the `C.` namespace
The V playground insufficiently strips the latter form of the function call,
allowing an invocation such as this:
```
fn main() {
C .system(' id')
}
```
or even this:
```
fn main() {
C
.system(' id')
}
```
As the server is running as the root user, successful exploitation can result
in an unauthenticated user totally compromising the system, as happened
earlier yesterday on June 23, 2019. As the source code and configuration of
the V playground server is unknown, it is not possible to track usage of these
commands.
The playground did attempt to block these attacks; but it appeared to do pattern
matching on `#` or `C.`, allowing the alternative methods mentioned above.
## Security Suggestions
Do not run the playground server as a root user outside a container or other
form of isolation. The fact that this server runs user-submitted code makes
this kind of thing very difficult to isolate and/or secure properly. The use
of an explicit sandboxing environment like [gVisor](https://gvisor.dev) or
[Docker](https://www.docker.com) is suggested. The use of more elaborate
sandboxing mechanisms like [CloudABI](https://cloudabi.org) or
[WebAssembly](https://webassembly.org) may be practical for future
developments, but is admittedly out of scope for this initial class of issues.
## GReeTZ
Special thanks to the people of [#ponydev](https://pony.dev) for helping to
discover and toy with this bug.
## Timeline
All times are Eastern Standard Time.
### June 23, 2019
- 4:56 PM - The first exploit was found and the contents of /etc/passwd were dumped, other variants of this attack were proposed and tested in the meantime
- 5:00 PM - The V playground server stopped replying to HTTP and ICMP messages
- 6:26 PM - The V creator was notified of this issue
- 7:02 PM - The V creator acknowledged the issue and admitted the machine was compromised