trampgeek / jobe

jobe is a server that runs small programming jobs in a variety of programming languages
MIT License
112 stars 80 forks source link

Privilege escalation using cputime parameter and runguard #39

Closed myyxl closed 4 years ago

myyxl commented 4 years ago

Hello, i have found a bug that can lead to a privilege escalation. Most of the input which the user can control is escaped using escapeshellarg but using the cputime parameter which is not escaped you can create a command injection which leads to a privilege escalation. Here you can see that cputime is not escaped and is directly set into the sandox command which is executed by the user www-data. Once you have access to the webroot you can patch runguard to accept root as a valid user and execute commands as root. I have also a proof-of-concept script but I won't upload it here for security reasons. If there are any further questions, I'll be happy to help.

Sincerely, Marlon

trampgeek commented 4 years ago

Hi Marlon.

Many thanks for finding and reporting the vulnerability. Thanks for the fix, too, though I've chosen to run with a slight variant on your code. I've modified getParam so that if a supplied parameter is non-numeric and the default parameter is numeric, the default is used. Change pushed to github. Please confirm that my change addresses that issue (and any similar ones).

Thanks again

Richard

myyxl commented 4 years ago

Hi Richard, the fix you made works. Command Injections aren't possible anymore using the cputime parameter. Thanks for the quick response!

Sincerely, Marlon