A security researcher discovered a security vulnerability in the Judge0 system, which received a patch that could further be bypassed, leading to further vulnerabilities. While the developer eventually patched the issue after repeated exploits, the researcher still suspects the probability of another patch bypass.
Multiple Judge0 Vulnerabilities Emerged Following Repeated Patch Bypass
As explained in a recent blog post, security researcher Daniel Cooper from Tanto Security discovered multiple security issues in the open-source software Judge0. Exploiting the vulnerabilities could allow an adversary to execute arbitrary codes on the target Judge0 systems.
Judge0 is an open-source online code execution system that facilitates building apps with code execution features, such as IDEs, e-learning services, and more. The system boasts a huge customer base, indicating its popularity in the tech community. However, this huge user base also shows the huge impact of any judge0 vulnerabilities if exploited.
Specifically, the researcher found a vulnerability, CVE-2024-28185, in Judge0 that existed because the app didn’t account for symlinks inside the sandbox directory. An attacker could exploit this issue to write arbitrary files and escape the sandbox for code execution.
Following this discovery, the researcher reported the vulnerability to the Judge0 developer, who quickly patched the flaw. However, the researcher could still bypass the patch, identified as CVE-2024-28189, which lets an adversary create symlinks to a file outside the sandbox and use the Linux chown command on arbitrary files.
The Judge0 developer patched this issue following the researcher’s report; however, the problems persisted. The researcher could bypass the patch again, highlighting the vulnerability CVE-2024-29021, which existed due to the default Judge0 configuration that allowed sandbox escape via SSRF.
The researcher shared the technical details of the three vulnerabilities and the subsequent patches in the post.
Patch Deployed
Following his report for the third vulnerability, the Judge0 developer patched it again, releasing Judge0 version 1.13.1. Cooper advised all users to update to this latest version immediately to prevent malicious exploits.
While the matter seemingly received the fix, the researcher still doubts that there could be another way to bypass this patch, as the core arbitrary file write issue persists.
Let us know your thoughts in the comments.