

Show HN: Embed runnable code snippets on your website - amasad
http://amasad.me/2015/04/09/hello-world/

======
tux
Finally, this is what GitHub should have in the first place. Thank you!

------
sarciszewski
[http://repl.it/jM0](http://repl.it/jM0)

You may want to disable shell execution.

~~~
amasad
One of the things that bothers me about other sites is that they're too
restrictive. I want people using this to get a proper environment for testing
and teaching others, and that means you can run shell commands or write to
disk. I'll rethink that if it ever becomes a problem.

~~~
sarciszewski
Okay. I hope it doesn't. :)

~~~
hamburglar
Here's a fun one for a ruby repl:

    
    
        # spawn a poor man's shell from repl
    
        require 'Open3'
        
        Open3.popen3("/bin/sh -i") do |stdin,stdout,stderr,wthr|
    
            loop do
                ready = select([$stdin, stdout, stderr], nil, nil, 10)
                if ready
                    ready[0].each do |f|
                        buf = ""
                        begin
                            while d = f.read_nonblock(1024)
                                buf += d
                            end
                        rescue Errno::EAGAIN
                        end
    
                        case f
                            when $stdin
                                stdin.write(buf)
                            when stdout,stderr
                                $stdout.write(buf)
                        end
                    end
                end
            end
        end
    

This lets you explore the environment a bit more. I haven't figured out
anything do to with it yet. :)

~~~
hamburglar
BTW, using this trick, I managed to get root in your VM. I assume you have it
logged and can see how (was hitting
[http://repl.it/jND/13](http://repl.it/jND/13) if that helps you locate it);
it wasn't anything particularly clever. I didn't do much beyond that. Having
no network access limits the possibilities. :)

~~~
amasad
Even if you get root, what can you really do?

~~~
hamburglar
I'm not exactly sure what a root process in a docker container can do
(probably depends a lot on the container configuration, plus is probably
evolving as we speak, and is subject to bugs), but in my opinion, even if you
have redundant security layers, you should be at least a little concerned when
somebody is able to jump up a layer (from your 'runner' non-privileged user to
root in this case).

edit: I did find a kernel arbitrary code execution exploit PoC for the kernel
version you're running but I decided against trying it out because I didn't
want to crash your docker host.

~~~
amasad
I am. Thanks for letting me know. Can you provide some more details about how
you escalated privileges and the PoC?

~~~
hamburglar
Your root user has no password, so executing 'su' just gives you a root shell.
That's pretty much it. :)

You can do it by hitting my link above, running the saved code, which defines
a 'sh' function, then running the 'sh' function from the repl. That will give
you a shell, which you can then 'su' in. It doesn't give you a prompt back
because that first shell is non-interactive, but if you run 'sh -i' from there
you'll get your # prompt.

I told you it wasn't all that clever. :)

edit: great site, by the way. i love the concept and my hat is off to you for
letting people run wild. The front-end execution is nice, too.

BTW, I ran into a limit on the size of a script I could save, and I recommend
keeping that, as it prevented me from easily uploading a gcc executable by
statically declaring GCC="\x7FELF\x02\x01\x01\x00\x00\x00\x00..." and then
writing it to a file. It can still be done, but it's a pain in the ass.

