[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Malicious Lua 5.1 bytecode in the real world
- From: Tim Hill <drtimhill@...>
- Date: Sun, 15 Sep 2013 21:36:59 -0700
On Sep 15, 2013, at 6:21 PM, Peter Cawley <lua@corsix.org> wrote:
> I'm not aware of a documented instance of using malicious Lua bytecode
> to escape from a real world Lua 5.1 sandbox, so I felt it worthwhile
> to document a recent case of escapism.
>
> The sandbox in question is in a 32-bit Windows program called
> RelicCOH2.exe. It uses Lua 5.1.3 for many things, and in one instance
> as a data description language for font metadata files. For these font
> files, the program calls lua_newstate followed by luaopen_base
> followed by luaL_dofile, which results in an interesting sandbox: the
> base and coroutine libraries are present, but useful things like the
> string, table, and package libraries aren't present. I wanted to
> escape from this sandbox and call package.loadlib from one of these
> font metadata files in order to load one of my DLLs into the program,
> and with some malicious bytecode I was able to do so.
Presumably the root problem here is the call to luaL_dofile(), which implicitly allows bytecode as well as text loading.
--Tim