lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Sep 15, 2013, at 6:21 PM, Peter Cawley <> wrote:

> I'm not aware of a documented instance of using malicious Lua bytecode
> to escape from a real world Lua 5.1 sandbox, so I felt it worthwhile
> to document a recent case of escapism.
> The sandbox in question is in a 32-bit Windows program called
> RelicCOH2.exe. It uses Lua 5.1.3 for many things, and in one instance
> as a data description language for font metadata files. For these font
> files, the program calls lua_newstate followed by luaopen_base
> followed by luaL_dofile, which results in an interesting sandbox: the
> base and coroutine libraries are present, but useful things like the
> string, table, and package libraries aren't present. I wanted to
> escape from this sandbox and call package.loadlib from one of these
> font metadata files in order to load one of my DLLs into the program,
> and with some malicious bytecode I was able to do so.

Presumably the root problem here is the call to luaL_dofile(), which implicitly allows bytecode as well as text loading.