Re: lua bytecode and sandbox evasion ?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: lua bytecode and sandbox evasion ?
From: Peter Cawley <lua@...>
Date: Wed, 14 Sep 2016 01:04:51 +0100

Yes, it is known, and credible. Defence is to not load untrusted bytecode, or to build your sandboxes at the OS level rather than the Lua level.

https://gist.github.com/corsix/49d770c7085e4b75f32939c6c076aad6 is another link you might be interested in.

On Wednesday, 14 September 2016, tst2005 <tst2005@gmail.com> wrote:

Hello,

I would like to know if the bug/vulnerability is already known ?
Is there a CVE number ?
I'm still trying to reproduce, but it seems credible.

http://apocrypha.numin.it/talks/lua_bytecode_exploitation.pdf
https://gist.github.com/corsix/6575486
https://github.com/erezto/lua-sandbox-escape
https://www.reddit.com/r/netsec/comments/52cm3h

Regards,

Follow-Ups:
- Re: lua bytecode and sandbox evasion ?, Soni L.
- Re: lua bytecode and sandbox evasion ?, Roberto Ierusalimschy

References:
- lua bytecode and sandbox evasion ?, tst2005

Prev by Date: lua bytecode and sandbox evasion ?
Next by Date: Re: lua bytecode and sandbox evasion ?
Previous by thread: lua bytecode and sandbox evasion ?
Next by thread: Re: lua bytecode and sandbox evasion ?
Index(es):
- Date
- Thread