OVE-20190623-0001 (#58)

* OVE-20190623-0001

* Update OVE-20190623-0001.md

* French got into my head :D

1 files changed, 95 insertions, 0 deletions

diff --git a/blog/OVE-20190623-0001.md b/blog/OVE-20190623-0001.md
new file mode 100644
index 0000000..2817f92
--- /dev/null
+++ b/blog/OVE-20190623-0001.md
@@ -0,0 +1,95 @@
+---
+title: "OVE-20190623-0001"
+date: 2019-06-24
+---
+
+# OVE-20190623-0001
+
+## Within Security Advisory
+
+Root-level Remote Command Injection in the [V](https://vlang.io) playground (OVE-20190623-0001)
+
+> The real CVEs are the friends we made along the way
+
+awilfox
+
+## Summary
+
+While playing with the [V playground](https://vlang.io/play), a root-level 
+command injection vulnerability was discovered. This allows for an 
+unauthenticated attacker to execute arbitrary root-level commands on the
+playground server.
+
+This vulnerability is instantly exploitable by a remote, unauthenticated
+attacker in the default configuration. To remotely exploit this vulnerability,
+an attacker must send specially created HTTP requests to the playground server
+containing a malformed function call.
+
+This playground server is not open sourced or versioned yet, but this 
+vulnerability has lead to the compromising of the box as reported by the lead
+developer of V.
+
+## Remote Exploitation
+
+V allows for calling of C functions through a few means:
+
+- starting a line with a `#` character
+- calling a C function with the `C.` namespace
+
+The V playground insufficiently strips the latter form of the function call,
+allowing an invocation such as this:
+
+```
+fn main() {
+  C .system(' id')
+}
+```
+
+or even this:
+
+```
+fn main() {
+	C
+		.system(' id')
+}
+```
+
+As the server is running as the root user, successful exploitation can result
+in an unauthenticated user totally compromising the system, as happened 
+earlier yesterday on June 23, 2019. As the source code and configuration of 
+the V playground server is unknown, it is not possible to track usage of these 
+commands. 
+
+The playground did attempt to block these attacks; but it appeared to do pattern 
+matching on `#` or `C.`, allowing the alternative methods mentioned above.
+
+## Security Suggestions
+
+Do not run the playground server as a root user outside a container or other
+form of isolation. The fact that this server runs user-submitted code makes
+this kind of thing very difficult to isolate and/or secure properly. The use
+of an explicit sandboxing environment like [gVisor](https://gvisor.dev) or
+[Docker](https://www.docker.com) is suggested. The use of more elaborate 
+sandboxing mechanisms like [CloudABI](https://cloudabi.org) or 
+[WebAssembly](https://webassembly.org) may be practical for future 
+developments, but is admittedly out of scope for this initial class of issues.
+
+## GReeTZ
+
+Special thanks to the people of [#ponydev](https://pony.dev) for helping to 
+discover and toy with this bug.
+
+## Timeline
+
+All times are Eastern Standard Time.
+
+### June 23, 2019
+
+- 4:56 PM - The first exploit was found and the contents of /etc/passwd were dumped, other variants of this attack were proposed and tested in the meantime
+- 5:00 PM - The V playground server stopped replying to HTTP and ICMP messages
+- 6:26 PM - The V creator was notified of this issue
+- 7:02 PM - The V creator acknowledged the issue and admitted the machine was compromised
+
+### June 24, 2019
+
+- 12:00 AM - This security bulletin was released