-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compilation time command execution vulnerability #318
Comments
Thanks for reporting this. We've disabled Nim on dmoj.ca. The DMOJ judge should not (and refuses to) be run as root, and the judge user should set up by the sysadmin to be fairly locked down in its abilities to do anything nefarious (this may include process/disk limits, firewall allowing access to only the bridge address/port, etc.) so that potential damage in case of unsecured code execution is minimized. That said, Nim allowing arbitrary code execution as part of its regular features is problematic, but we also can't reliably sandbox compilers the same way we do runtimes. It would theoretically be possible to develop some sort of "compilation host" service running inside e.g. Docker instances, but this would be a large engineering effort to be viable right now. For now, it would probably be best to entirely remove Nim support (unless |
Also, we have added security@dmoj.ca for security reports and added https://dmoj.ca/.well-known/security.txt. If there are additional runtimes affected, please send it to that address first. If you or @zielmicha wish to be credited, we will add it to https://dmoj.ca/security/. |
As compilation is not sandboxed user is able to execute arbitrary commands on judge host.
Example in Nim:
The command runs with judge privileges and has full access to the machine. More interesting example:
After submitting this to my DMOJ instance (via web interface) the
test
executable was running even after the judge had returned with a compile error and had to be killed manually. One could simple replacewhile(1){}
with a socket connection/ssh session to a remote machine or any other malicious code.This issue was first found by @zielmicha
The text was updated successfully, but these errors were encountered: