12 votes

Root-level Remote Command Injection in the V playground

4 comments

  1. [3]
    unknown user
    Link
    As sloppy as it gets. There is no reason in investing in this project unless the maintainer changes or a proper fork appears. Bummer, it was interesting, when I saw it first a couple months ago...

    As the server is running as the root user, successful exploitation can result in an unauthenticated user totally compromising the system,

    As sloppy as it gets. There is no reason in investing in this project unless the maintainer changes or a proper fork appears. Bummer, it was interesting, when I saw it first a couple months ago But frankly it had sounded too good to be true even back then.

    14 votes
    1. ainar-g
      Link Parent
      The V Programming Language is a gift that keeps on giving. My only concern is that its reputation could spread on legitimate non-stupid attempts at language design, making people more afraid to...

      The V Programming Language is a gift that keeps on giving. My only concern is that its reputation could spread on legitimate non-stupid attempts at language design, making people more afraid to invest in them.

      4 votes
    2. kavi
      Link Parent
      Exactly. From the lobste.rs post, and I agree, he is a good hype man but the product has... no material. It's empty, and all the promises aren't delivered on. Whatsoever.

      Exactly. From the lobste.rs post, and I agree, he is a good hype man but the product has... no material. It's empty, and all the promises aren't delivered on. Whatsoever.

      3 votes
  2. kavi
    Link
    Copy and pasted summary from the website: It's a very big vulnerability, as commands are run as root. It allowed an attacker to completely compromise the system on 23 June 2019, and is probably...

    Copy and pasted summary from the website:

    While playing with the V playground, a root-level command injection vulnerability was discovered. This allows for an unauthenticated attacker to execute arbitrary root-level commands on the playground server.
    This vulnerability is instantly exploitable by a remote, unauthenticated attacker in the default configuration. To remotely exploit this vulnerability, an attacker must send specially created HTTP requests to the playground server containing a malformed function call.
    This playground server is not open sourced or versioned yet, but this vulnerability has lead to the compromising of the box as reported by the lead developer of V.

    It's a very big vulnerability, as commands are run as root. It allowed an attacker to completely compromise the system on 23 June 2019, and is probably the reason the playground is down.

    10 votes