Описание
Arbitrary code execution in de.tum.in.ase:artemis-java-test-sandbox
Summary
Because of the missing checkLink(String) override in the SecurityManager, students can load libraries and execute arbitrary code.
Details
Using System.load(String) or System.loadLibrary(String) students can load and execute arbitrary code.
private static native void start(List<String> args);
public static void main(String[] args) {
System.load(new File("path_to_lib.so").getAbsolutePath());
start(List.of(args));
}
Adding this to the security manager (and a translation) should fix the issue:
@Override
public void checkExec(String cmd) {
try {
if (enterPublicInterface())
return;
throw new SecurityException(localized("security.error_link")); //$NON-NLS-1$
} finally {
exitPublicInterface();
}
}
PoC
See details.
Impact
Arbitrary code execution.
Пакеты
Наименование
de.tum.in.ase:artemis-java-test-sandbox
maven
Затронутые версииВерсия исправления
< 1.11.2
1.11.2
Связанные уязвимости
CVSS3: 8.2
nvd
около 2 лет назад
Artemis Java Test Sandbox versions before 1.11.2 are vulnerable to a sandbox escape when an attacker loads untrusted libraries using System.load or System.loadLibrary. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code.