Coordinated Disclosure Timeline

Summary

Two vulnerabilities were found in Autolab:

These issues are listed in detail below.

Product

Autolab

Tested Version

v2.9.0

Details

Issue 1: File disclosure due to path traversal (GHSL-2022-100)

Autolab provides the possibility to allow submissions of students via a so-called remote handin feature. Handins submitted with this feature are copied from a path that is accessible to the running Autolab instance. In practice the remote handin path will probably be located in a directory of a shared drive. The endpoint for such submissions allows unauthenticated attackers to hand-in assignments for registered users using paths outside of their submission directory. The value of the submit parameter is passed to the saveHandin module method without futher sanitization or verification. The contents of the corresponding files of the submitted file paths could then be viewed by users viewing “their” submissions.

Proof of Concept

Preconditions:

  1. Remote handin path needs to be set
  2. Handin directory inside remote handin path for a user must exist in the form: <email>_remote_handin_<assessment-name> (This seems to be a general precondition for making the remote handin feature work)
  3. At least one email address of a user that is registered to any course and assigment

The attacker then simply needs to construct an URL in this form and call it via GET request:

http://<autolab-host>/courses/<course-name>/assessments/<assessment-name>/local_submit?user=<registered-user-email>&submit=../../../../../<path-to-existing-file>

E.g.:

http://127.0.0.1/courses/Mycourse/assessments/mylab/local_submit?user=student@host.test&submit=../../../../../etc/passwd

Afterwards the attacker can view or download the contents of the desired file (e.g., /etc/passwd) in the “Handin History” of the assessment.

Impact

This issue may lead to Information Disclosure.

Resources

Issue 2: Authenticated Remote Code Execution (GHSL-2022-124)

Autolab provides the functionality to check submissions for plagiarism using MOSS (Measure Of Software Similarity). The Moss Cheat Checker can be run by instructors with sufficient permissions. The parameters max_lines and language_selection both flow unsanitized through several (1, 2, 3) different join operations before flowing into a command execution sink. Using this vulnerability an attacker might gain control over the server running Autolab.

This vulnerability was discovered with the help of CodeQL’s Uncontrolled command line query.

Proof of Concept

Preconditions:

  1. Attacker needs to be logged in as instructor
  2. There needs to be an existing course where the instructor has access permissions

This vulnerability can simply be exploited by using a browser and navigating to:

http://<autolab-host>/courses/<course-name>/moss

After selecting an assignment, the checkbox “Max Lines” needs to be enabled and instead of providing a valid number of lines a shell command such as | touch /tmp/pwned.txt | can be provided. (Which will then create the file /tmp/pwned.txt after clicking “GO!”).

To manipulate the language_selection parameter in the same way a browser inspection tools or a tool like curl can be used to manufacture the desired requests.

Impact

This issue may lead to Remote Code Execution (RCE).

Resources

CVE

Credit

This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-100 in any communication regarding this issue.