The Security Risk of On-line Compiler Service

Posted: June 22, 2013 in Information Security

I started working on my thesis A compiler-based infrastructure for software-protection , When I was researching the state of the art , One of the things I was looking for is on-line compiler services as I guessed there is lots of them , Google shows 14,000,000 result for the keyword “ Online Compiler ” ,

Screenshot from 2013-06-22 03:52:35

lest say 2% are really what we are looking for ,this makes 280000 web site offering this service , ignoring the on-line IDE Service even if thats probably working in the same architectural way , the thing really caught my attention was how this sites secure them self from command injection attacks vector ???

lets say this is the general architecture

General ONlineCompiler

Let say it should work like this

1- The user upload the code or write it on the interface

2- The Service Logic receives the compilation request ,

2.1 sanitate the parameters , and file name

2.2 request the compilation from the model

3- The model create a new ( remote or local ) process thread that triggers the compiler with code and requested parameters

3.1 The model reads warring’s ,errors ,

IF there is no errors

3.1.1 move the compiled object to boxed environment

3.1.2 execute the compiled object in the boxed environment

3.1.3 read the execution output stream

3.1.4 move the compiled code to public place allowing a download option

3.1.5 remove the compiled code and clean the session space in the boxed environment

4- the errors , warring’s and result is propagated backward to the user interface

4.1 the result is sanitized

I think using this pseudo steps we can mitigate a lot of risk and offer a good quality service , but turn out that more than 90% of analyzed ( I analyzed 20 ) web site leaks or bad implements the steps of 2.1 , 3.1.1 , 3.1.2 , 3.1.5 and 4.1 or doesn’t even follow any security consideration .

As an example this is the first result of the search on Goolge using the keywords “ online compiler “

 1- http://compileonline.com/

Languages Page Rank Owner

Support a lot of languages From C .. CSS

2

Mohammad Mohtashim

Screenshot from 2013-06-22 05:02:04

Attacks : From command injection to XSS

Sample attack vector

The web site offer a shell interpreter in uncontrolled environment so it wasn’t difficult to do the following

 – Browsing the os path

Screenshot from 2013-06-22 05:22:24

– Gathering information about the system

Screenshot from 2013-06-22 05:20:57

Screenshot from 2013-06-22 05:38:14


Screenshot from 2013-06-22 05:38:19

 Executing XSS attack

 Screenshot from 2013-06-22 05:35:34

Gathering /etc/passwd

Screenshot from 2013-06-22 05:34:46

 

2- http://ideone.com/

Languages Page Rank Owner

Support a lot of languages From C .. CSS

5

Idonea

 Screenshot from 2013-06-22 06:09:09

Attacks : Command injection

Sample attack vector

The web site offer a shell interpreter in CONTROLED environment but command injection can be done

– Browsing the OS path

– From shell code the permission police disallow this kind of injection

Screenshot from 2013-06-22 05:57:26

 BUT if we compile a file , we can see the police applied to the execution account of is different

Screenshot from 2013-06-22 06:29:04

– Gathering information about the system

Screenshot from 2013-06-22 05:54:59

Gathering /etc/passwd

Screenshot from 2013-06-22 05:56:28

In all of the the example we are able to inject a reverse back shell , and have more flexible control over the systems we even can exploit some kernel vulnerabilities to get root , I highly recommend the owners , to review the architecture and security police of there implementation .

Conclusion

1- Building such a service should be well architected

2- A highly security consideration has to be made and tested before deployment

3- A sanitation process should be injected in the incoming and outgoing flow

4- Sandboxing is a most in this kind of project  

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s