CVE-2018-16367
📋 TL;DR
OnlineJudge 2.0 has an incorrect access control vulnerability in its sandbox that allows authenticated users to write files anywhere on the system and leak file data through #include directives. This affects all deployments of OnlineJudge 2.0 with the vulnerable sandbox configuration.
💻 Affected Systems
- OnlineJudge
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary file write leading to remote code execution, privilege escalation, and complete data exfiltration.
Likely Case
Unauthorized file access and modification, potential code execution within the sandbox environment, and leakage of sensitive configuration files.
If Mitigated
Limited impact if proper file permissions and sandbox isolation are enforced, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires authenticated user access but is straightforward once authenticated. The GitHub issue demonstrates the vulnerability clearly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1 or later
Vendor Advisory: https://github.com/QingdaoU/OnlineJudge/issues/165
Restart Required: Yes
Instructions:
1. Upgrade OnlineJudge to version 2.1 or later. 2. Review and update sandbox configuration. 3. Restart the OnlineJudge service.
🔧 Temporary Workarounds
Sandbox Isolation Enhancement
linuxImplement stricter sandbox isolation using containerization or enhanced file permission controls
chmod 750 /tmp/onlinejudge_sandbox
setfacl -m u:onlinejudge:rwx /tmp/onlinejudge_sandbox
🧯 If You Can't Patch
- Implement strict file system permissions and monitor /tmp directory for suspicious writes
- Deploy network segmentation to isolate OnlineJudge from critical systems and implement WAF rules
🔍 How to Verify
Check if Vulnerable:
Check OnlineJudge version with 'cat /path/to/onlinejudge/version.txt' or examine the sandbox configuration files for proper access controls.Check Version:
grep -i version /path/to/onlinejudge/config/*.py 2>/dev/null || echo 'Check installation documentation'Verify Fix Applied:
Verify version is 2.1+ and test sandbox functionality to ensure file writes are properly restricted to designated directories.📡 Detection & Monitoring
Log Indicators:
- Unusual file write patterns in /tmp directory
- Sandbox process attempting to access restricted file paths
- Multiple failed include directives in sandbox logs
Network Indicators:
- Unusual outbound connections from OnlineJudge server
- Large data transfers from sandbox processes
SIEM Query:
source="onlinejudge.log" AND ("sandbox" OR "/tmp") AND ("write" OR "include" OR "access denied")