---
title: "OVE-20190623-0001"
date: 2019-06-24
tags:
 - v
 - security
 - release
---

## Within Security Advisory

Root-level Remote Command Injection in the [V](https://vlang.io) playground (OVE-20190623-0001)

> The real CVEs are the friends we made along the way

awilfox

## Summary

While playing with the [V playground](https://vlang.io/play), a root-level 
command injection vulnerability was discovered. This allows for an 
unauthenticated attacker to execute arbitrary root-level commands on the
playground server.

This vulnerability is instantly exploitable by a remote, unauthenticated
attacker in the default configuration. To remotely exploit this vulnerability,
an attacker must send specially created HTTP requests to the playground server
containing a malformed function call.

This playground server is not open sourced or versioned yet, but this 
vulnerability has lead to the compromising of the box as reported by the lead
developer of V.

## Remote Exploitation

V allows for calling of C functions through a few means:

- starting a line with a `#` character
- calling a C function with the `C.` namespace

The V playground insufficiently strips the latter form of the function call,
allowing an invocation such as this:

```
fn main() {
  C .system(' id')
}
```

or even this:

```
fn main() {
	C
		.system(' id')
}
```

As the server is running as the root user, successful exploitation can result
in an unauthenticated user totally compromising the system, as happened 
earlier yesterday on June 23, 2019. As the source code and configuration of 
the V playground server is unknown, it is not possible to track usage of these 
commands. 

The playground did attempt to block these attacks; but it appeared to do pattern 
matching on `#` or `C.`, allowing the alternative methods mentioned above.

## Security Suggestions

Do not run the playground server as a root user outside a container or other
form of isolation. The fact that this server runs user-submitted code makes
this kind of thing very difficult to isolate and/or secure properly. The use
of an explicit sandboxing environment like [gVisor](https://gvisor.dev) or
[Docker](https://www.docker.com) is suggested. The use of more elaborate 
sandboxing mechanisms like [CloudABI](https://cloudabi.org) or 
[WebAssembly](https://webassembly.org) may be practical for future 
developments, but is admittedly out of scope for this initial class of issues.

## GReeTZ

Special thanks to the people of [#ponydev](https://pony.dev) for helping to 
discover and toy with this bug.

## Timeline

All times are Eastern Standard Time.

### June 23, 2019

- 4:56 PM - The first exploit was found and the contents of /etc/passwd were dumped, other variants of this attack were proposed and tested in the meantime
- 5:00 PM - The V playground server stopped replying to HTTP and ICMP messages
- 6:26 PM - The V creator was notified of this issue
- 7:02 PM - The V creator acknowledged the issue and admitted the machine was compromised

### June 24, 2019

- 12:00 AM - This security bulletin was released