IIT Bombay Bodhitree Code Injection Vulnerability in cs101 Version Allowing Remote Code Execution

A code injection vulnerability has been identified in the IIT Bombay Bodhitree platform, specifically in the cs101 version. This issue allows remote attackers to execute arbitrary code by injecting malicious scripts into the online code compiler. The vulnerability stems from inadequate input validation and a lack of restrictions on user processes, which can lead to directory traversal, privilege escalation, and exposure of sensitive data.

Impact

Exploitation of this vulnerability allows for remote code execution, with potential consequences including system takeover, privilege escalation, and exposure of sensitive data.

Reproduction

To reproduce this vulnerability, log into a cs101 account on the IIT Bombay Bodhitree platform. Navigate to the course page and select 'Assignments'. Access the programming labs and choose a lab based on the preferred programming language. Once in the live editor, inject code that exploits directory traversal or remote code execution vulnerabilities. Execute the code and observe the output in the designated output box.

Remediation

It is recommended to implement safe execution environments, such as chroot or Docker containers, to sandbox code execution. Additionally, enforce strong input sanitization to ensure user-provided inputs are safe, and apply the principle of least privilege to restrict access to critical system resources.