Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05OGhxLTR3bXctOTh3Oc4AAxiI
Arbitrary code execution in de.tum.in.ase:artemis-java-test-sandbox
Summary
Because of the missing checkLink(String) override in the SecurityManager, students can load libraries and execute arbitrary code.
Details
Using System.load(String) or System.loadLibrary(String) students can load and execute arbitrary code.
private static native void start(List<String> args);
public static void main(String[] args) {
System.load(new File("path_to_lib.so").getAbsolutePath());
start(List.of(args));
}
Adding this to the security manager (and a translation) should fix the issue:
@Override
public void checkExec(String cmd) {
try {
if (enterPublicInterface())
return;
throw new SecurityException(localized("security.error_link")); //$NON-NLS-1$
} finally {
exitPublicInterface();
}
}
PoC
See details.
Impact
Arbitrary code execution.
Permalink: https://github.com/advisories/GHSA-98hq-4wmw-98w9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05OGhxLTR3bXctOTh3Oc4AAxiI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-98hq-4wmw-98w9
References:
- https://github.com/ls1intum/Ares/security/advisories/GHSA-98hq-4wmw-98w9
- https://github.com/advisories/GHSA-98hq-4wmw-98w9
Affected Packages
maven:de.tum.in.ase:artemis-java-test-sandbox
Versions: < 1.11.2Fixed in: 1.11.2