Cadey is coffee
<Cadey> Hello! Thank you for visiting my website. You seem to be using an ad-blocker. I understand why you do this, but I'd really appreciate if it you would turn it off for my website. These ads help pay for running the website and are done by Ethical Ads. I do not receive detailed analytics on the ads and from what I understand neither does Ethical Ads. If you don't want to disable your ad blocker, please consider donating on Patreon or sending some extra cash to xeiaso.eth or 0xeA223Ca8968Ca59e0Bc79Ba331c2F6f636A3fB82. It helps fund the website's hosting bills and pay for the expensive technical editor that I use for my longer articles. Thanks and be well!

OVE-20190623-0001: V playground allows remote users to run arbitrary code as root

Read time in minutes: 3

Within Security Advisory

Root-level Remote Command Injection in the V playground (OVE-20190623-0001)

The real CVEs are the friends we made along the way

awilfox

Summary

While playing with the V playground, a root-level command injection vulnerability was discovered. This allows for an unauthenticated attacker to execute arbitrary root-level commands on the playground server.

This vulnerability is instantly exploitable by a remote, unauthenticated attacker in the default configuration. To remotely exploit this vulnerability, an attacker must send specially created HTTP requests to the playground server containing a malformed function call.

This playground server is not open sourced or versioned yet, but this vulnerability has lead to the compromising of the box as reported by the lead developer of V.

Remote Exploitation

V allows for calling of C functions through a few means:

  • starting a line with a # character
  • calling a C function with the C. namespace

The V playground insufficiently strips the latter form of the function call, allowing an invocation such as this:

fn main() {
  C .system(' id')
}

or even this:

fn main() {
	C
		.system(' id')
}

As the server is running as the root user, successful exploitation can result in an unauthenticated user totally compromising the system, as happened earlier yesterday on June 23, 2019. As the source code and configuration of the V playground server is unknown, it is not possible to track usage of these commands.

The playground did attempt to block these attacks; but it appeared to do pattern matching on # or C., allowing the alternative methods mentioned above.

Security Suggestions

Do not run the playground server as a root user outside a container or other form of isolation. The fact that this server runs user-submitted code makes this kind of thing very difficult to isolate and/or secure properly. The use of an explicit sandboxing environment like gVisor or Docker is suggested. The use of more elaborate sandboxing mechanisms like CloudABI or WebAssembly may be practical for future developments, but is admittedly out of scope for this initial class of issues.

GReeTZ

Special thanks to the people of #ponydev for helping to discover and toy with this bug.

Timeline

All times are Eastern Standard Time.

June 23, 2019

  • 4:56 PM - The first exploit was found and the contents of /etc/passwd were dumped, other variants of this attack were proposed and tested in the meantime
  • 5:00 PM - The V playground server stopped replying to HTTP and ICMP messages
  • 6:26 PM - The V creator was notified of this issue
  • 7:02 PM - The V creator acknowledged the issue and admitted the machine was compromised

June 24, 2019

  • 12:00 AM - This security bulletin was released

This article was posted on M06 24 2019. Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Series: CVE

Tags: v security release

This post was not WebMentioned yet. You could be the first!

The art for Mara was drawn by Selicre.

The art for Cadey was drawn by ArtZora Studios.

Some of the art for Aoi was drawn by @Sandra_Thomas01.