CVE-2024-28189
Judge0 vulnerable to Sandbox Escape Patch Bypass via chown running on Symbolic Link
In short
Judge0's sandbox system can be escaped because attackers can create symbolic links that trick the chown command into modifying files outside the intended sandbox area, allowing them to break free from the execution environment.
Technical detail
The vulnerability exists in Judge0's use of the UNIX chown command on untrusted files within the sandbox without proper symlink validation (CWE-59, CWE-61). An attacker can create a symbolic link pointing to files outside the sandbox, causing chown to operate on arbitrary files, bypassing the sandbox isolation and potentially chaining with CVE-2024-28185 patches to achieve complete sandbox escape with CVSS 10.0 impact.
Summary generated and translated by AI from the official description.
Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside of the sandbox. This vulnerability is not impactful on it's own, but it can be used to bypass the patch for CVE-2024-28185 and obtain a complete sandbox escape. This vulnerability is fixed in 1.13.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
judge0 · judge0Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/judge0/judge0/blob/v1.13.0/app/jobs/isolate_job.rb#L232https://github.com/judge0/judge0/commit/f3b8547b3b67863e4ea0ded3adcb963add56adddhttps://github.com/judge0/judge0/security/advisories/GHSA-3xpw-36v7-2cmghttps://github.com/judge0/judge0/security/advisories/GHSA-h9g2-45c8-89cf