xesite/blog/OVE-20190623-0001.md

3.0 KiB

title date tags
OVE-20190623-0001 2019-06-24
v
security
release

OVE-20190623-0001

Within Security Advisory

Root-level Remote Command Injection in the V playground (OVE-20190623-0001)

The real CVEs are the friends we made along the way

awilfox

Summary

While playing with the V playground, a root-level command injection vulnerability was discovered. This allows for an unauthenticated attacker to execute arbitrary root-level commands on the playground server.

This vulnerability is instantly exploitable by a remote, unauthenticated attacker in the default configuration. To remotely exploit this vulnerability, an attacker must send specially created HTTP requests to the playground server containing a malformed function call.

This playground server is not open sourced or versioned yet, but this vulnerability has lead to the compromising of the box as reported by the lead developer of V.

Remote Exploitation

V allows for calling of C functions through a few means:

  • starting a line with a # character
  • calling a C function with the C. namespace

The V playground insufficiently strips the latter form of the function call, allowing an invocation such as this:

fn main() {
  C .system(' id')
}

or even this:

fn main() {
	C
		.system(' id')
}

As the server is running as the root user, successful exploitation can result in an unauthenticated user totally compromising the system, as happened earlier yesterday on June 23, 2019. As the source code and configuration of the V playground server is unknown, it is not possible to track usage of these commands.

The playground did attempt to block these attacks; but it appeared to do pattern matching on # or C., allowing the alternative methods mentioned above.

Security Suggestions

Do not run the playground server as a root user outside a container or other form of isolation. The fact that this server runs user-submitted code makes this kind of thing very difficult to isolate and/or secure properly. The use of an explicit sandboxing environment like gVisor or Docker is suggested. The use of more elaborate sandboxing mechanisms like CloudABI or WebAssembly may be practical for future developments, but is admittedly out of scope for this initial class of issues.

GReeTZ

Special thanks to the people of #ponydev for helping to discover and toy with this bug.

Timeline

All times are Eastern Standard Time.

June 23, 2019

  • 4:56 PM - The first exploit was found and the contents of /etc/passwd were dumped, other variants of this attack were proposed and tested in the meantime
  • 5:00 PM - The V playground server stopped replying to HTTP and ICMP messages
  • 6:26 PM - The V creator was notified of this issue
  • 7:02 PM - The V creator acknowledged the issue and admitted the machine was compromised

June 24, 2019

  • 12:00 AM - This security bulletin was released