Re: Malicious Lua 5.1 bytecode in the real world

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Malicious Lua 5.1 bytecode in the real world
From: Tim Hill <drtimhill@...>
Date: Sun, 15 Sep 2013 21:36:59 -0700

On Sep 15, 2013, at 6:21 PM, Peter Cawley <lua@corsix.org> wrote:

> I'm not aware of a documented instance of using malicious Lua bytecode
> to escape from a real world Lua 5.1 sandbox, so I felt it worthwhile
> to document a recent case of escapism.
> 
> The sandbox in question is in a 32-bit Windows program called
> RelicCOH2.exe. It uses Lua 5.1.3 for many things, and in one instance
> as a data description language for font metadata files. For these font
> files, the program calls lua_newstate followed by luaopen_base
> followed by luaL_dofile, which results in an interesting sandbox: the
> base and coroutine libraries are present, but useful things like the
> string, table, and package libraries aren't present. I wanted to
> escape from this sandbox and call package.loadlib from one of these
> font metadata files in order to load one of my DLLs into the program,
> and with some malicious bytecode I was able to do so.

Presumably the root problem here is the call to luaL_dofile(), which implicitly allows bytecode as well as text loading.

--Tim

Follow-Ups:
- Re: Malicious Lua 5.1 bytecode in the real world, Peter Cawley

References:
- Malicious Lua 5.1 bytecode in the real world, Peter Cawley

Prev by Date: Re: Is everything an expression?
Next by Date: [ANN] lua-libmemcached, simple Lua binding for libmemcached
Previous by thread: Malicious Lua 5.1 bytecode in the real world
Next by thread: Re: Malicious Lua 5.1 bytecode in the real world
Index(es):
- Date
- Thread