CVE-2024-34313 Description VPL Jail System up to v4.0.2 was discovered to contain a Path Traversal vulnerability allowing arbitrary file overrides and thereby privilege escalation to root user. This vulnerability can be chained with CVE-2024-34312 to take over a Moodle instance remotely without any prior authentication required. Additional Details The jail server is a C++ server that runs untrusted code in a sandboxed environment as an unprivileged user. The server listens for incoming connections on a specified port and spawns a new process for each connection. The commandUpdate function in jail.cpp receives a map of files and their contents from the client. ProcessMonitor::writeFile is called with the name of the file and its contents and simply concatenates the jail user's home directory with the file name to get the full path. The file is then written to the filesystem using Util::writeFile. This allows an attacker to write arbitrary files to the filesystem through path traversal. Exploitation This vulnerability can be used by an attacker to overwrite /etc/ld.so.preload with the path to a shared object file that will be loaded by every dynamically linked executable on the system as explained here. This shared object file can then be used to execute arbitrary code as root such as spawning a reverse shell. To make the exploit easier, the shared object file is also loaded whenever a setuid binary is executed and the request to the server can include a script that will…Read More