Go: x/website: RCE Playground

Created on 4 Jun 2020  ·  5Comments  ·  Source: golang/go

Hello,

After playing for a while with the go playground in the main site, I found out that I can easily remote execute code in the server. This should be fixed as soon as possible as anyone could potentially take over the server.

The code that I have used is:

package main

import (
"fmt"
"os/exec"
)

func main() {
Command := fmt.Sprintf("uname -a")
output, err := exec.Command("/bin/sh", "-c", Command).Output()
fmt.Print(string(output))
fmt.Print(err)
}

And the results is: RCE - Go

Regards,

picture Jaume-Vendrell

Most helpful comment

You can also look at "dmesg": https://play.golang.org/p/OtTiqS-PR-F

[   0.000000] Starting gVisor...
[   0.173062] Mounting deweydecimalfs...
[   0.665920] Moving files to filing cabinet...
[   0.814957] Gathering forks...
[   1.189399] Segmenting fault lines...
[   1.480267] Forking spaghetti code...
[   1.909269] Letting the watchdogs out...
[   2.170661] Feeding the init monster...
[   2.254049] Consulting tar man page...
[   2.563609] Reading process obituaries...
[   2.646535] Preparing for the zombie uprising...
[   3.033280] Ready!
picture bradfitz on 4 Jun 2020
😄10

All 5 comments

This is working as intended. With https://github.com/golang/go/issues/25224, each program is sandboxed inside of separate sandbox with an isolated environment. Running other programs in that sandbox is not problematic.

That said, if you find a way to extract secrets from outside the sandbox (such as other playground programs), or to persist execution beyond the playground timeout, please let us know! Please follow the security bug reporting process on https://golang.org/security.

Thanks!

prattmic picture prattmic on 4 Jun 2020
👍4

You can also look at "dmesg": https://play.golang.org/p/OtTiqS-PR-F

[   0.000000] Starting gVisor...
[   0.173062] Mounting deweydecimalfs...
[   0.665920] Moving files to filing cabinet...
[   0.814957] Gathering forks...
[   1.189399] Segmenting fault lines...
[   1.480267] Forking spaghetti code...
[   1.909269] Letting the watchdogs out...
[   2.170661] Feeding the init monster...
[   2.254049] Consulting tar man page...
[   2.563609] Reading process obituaries...
[   2.646535] Preparing for the zombie uprising...
[   3.033280] Ready!
bradfitz picture bradfitz on 4 Jun 2020
😄10

Wonderfully, that playgound link doesn't appear to use a cached result, so re-running tells a different (though similar) joke each time.

kortschak picture kortschak on 4 Jun 2020

@kortschak, it should be caching for some interval at least. You might want to file a bug about that.

bradfitz picture bradfitz on 5 Jun 2020

Maybe it should, but for the sake of art, I won't report this issue.

kortschak picture kortschak on 5 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Miserlou picture Miserlou  ·  3Comments
rsc picture rsc  ·  3Comments
jayhuang75 picture jayhuang75  ·  3Comments
myitcv picture myitcv  ·  3Comments
longzhizhi picture longzhizhi  ·  3Comments