Re: lua bytecode and sandbox evasion ?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: lua bytecode and sandbox evasion ?
From: "Soni L." <fakedme@...>
Date: Tue, 13 Sep 2016 21:18:48 -0300



On 13/09/16 09:04 PM, Peter Cawley wrote:

Yes, it is known, and credible. Defence is to not load untrustedbytecode, or to build your sandboxes at the OS level rather than theLua level.
https://gist.github.com/corsix/49d770c7085e4b75f32939c6c076aad6 isanother link you might be interested in.
On Wednesday, 14 September 2016, tst2005 <tst2005@gmail.com<mailto:tst2005@gmail.com>> wrote:
    Hello,

    I would like to know if the bug/vulnerability is already known ?
    Is there a CVE number ?
    I'm still trying to reproduce, but it seems credible.

    http://apocrypha.numin.it/talks/lua_bytecode_exploitation.pdf
    <http://apocrypha.numin.it/talks/lua_bytecode_exploitation.pdf>
    https://gist.github.com/corsix/6575486
    <https://gist.github.com/corsix/6575486>
    https://github.com/erezto/lua-sandbox-escape
    <https://github.com/erezto/lua-sandbox-escape>
    https://www.reddit.com/r/netsec/comments/52cm3h
    <https://www.reddit.com/r/netsec/comments/52cm3h>

    Regards,

Sign/encrypt your bytecode.

https://github.com/MightyPirates/OpenComputers/issues/2048

--
Disclaimer: these emails may be made public at any given time, with or without reason. If you don't agree with this, DO NOT REPLY.

Follow-Ups:
- Re: lua bytecode and sandbox evasion ?, Oliver Kroth

References:
- lua bytecode and sandbox evasion ?, tst2005
- Re: lua bytecode and sandbox evasion ?, Peter Cawley

Prev by Date: Re: lua bytecode and sandbox evasion ?
Next by Date: Re: lpeg.Cb bug (?) with repeated evaluation of group capture pattern
Previous by thread: Re: lua bytecode and sandbox evasion ?
Next by thread: Re: lua bytecode and sandbox evasion ?
Index(es):
- Date
- Thread