Headline
GHSA-98hq-4wmw-98w9: Arbitrary code execution in de.tum.in.ase:artemis-java-test-sandbox
Summary
Because of the missing checkLink(String) override in the SecurityManager, students can load libraries and execute arbitrary code.
Details
Using System.load(String) or System.loadLibrary(String) students can load and execute arbitrary code.
private static native void start(List<String> args);
public static void main(String[] args) {
System.load(new File("path_to_lib.so").getAbsolutePath());
start(List.of(args));
}
Adding this to the security manager (and a translation) should fix the issue:
@Override
public void checkExec(String cmd) {
try {
if (enterPublicInterface())
return;
throw new SecurityException(localized("security.error_link")); //$NON-NLS-1$
} finally {
exitPublicInterface();
}
}
PoC
See details.
Impact
Arbitrary code execution.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-98hq-4wmw-98w9
Arbitrary code execution in de.tum.in.ase:artemis-java-test-sandbox
High severity GitHub Reviewed Published Feb 10, 2023 in ls1intum/Ares • Updated Feb 10, 2023
Package
maven de.tum.in.ase:artemis-java-test-sandbox (Maven)
Affected versions
< 1.11.2
Summary
Because of the missing checkLink(String) override in the SecurityManager, students can load libraries and execute arbitrary code.
Details
Using System.load(String) or System.loadLibrary(String) students can load and execute arbitrary code.
private static native void start(List<String> args);
public static void main(String[] args) { System.load(new File(“path_to_lib.so”).getAbsolutePath()); start(List.of(args)); }
Adding this to the security manager (and a translation) should fix the issue:
@Override public void checkExec(String cmd) { try { if (enterPublicInterface()) return; throw new SecurityException(localized(“security.error_link”)); //$NON-NLS-1$ } finally { exitPublicInterface(); } }
PoC
See details.
Impact
Arbitrary code execution.
References
- GHSA-98hq-4wmw-98w9
Last updated
Feb 10, 2023
Published to the GitHub Advisory Database
Feb 10, 2023