lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wed, Jul 3, 2019 at 6:51 AM Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
>
> > While we are on this subject, giving Lua scripts access to the pointer
> > address to something in memory is a needless footstool to breaking out of a
> > sandbox and potentially taking over an application.
>
> 1) I disagree this is "needless". I find it useful.

Right, wrong adjective. It is a handy tool. :)

> 2) After your explanations, I still fail to see how this is a
> "footstool". If we assume poorly written libraries, anything
> can be dangerous.

It's dangerous for the same reasons that a static starting address for
the stack is. There are classic hacks that utilize the known address
location of an environment variable at the beginning of a stack to
implement return-to-libc attacks with shellcode in the environment
variable. Since then, mitigations like ASLR have made this more
difficult. But, ASLR can't help if the scripting language voluntarily
gives away this information (the address location of the heap or
strings) to scripts.

I'm not a security researcher so I recommend talking to others more
familiar with these exploits. Maybe it's no longer considered useful
information in today's world where applications are frequently built
with various buffer-overflow protections (I doubt it though!).

> 3) If you really think this is dangerous, it just got worse :-)
>
>   $ lua
>   Lua 5.4.0  Copyright (C) 1994-2019 Lua.org, PUC-Rio
>   > string.format("%p", {})
>   0x2108f70

Or more pointedly:

lua -e 'function f(s) print(string.format("%p", s)) end f"" f{}
f(("1"):rep(1e3))'
0x5606b34f1fb0
0x5606b34f4190
0x5606b34f47b0

As I said, I'm not an expert in this area so maybe I'm just raising
alarm about something not considered a serious problem.

With that said, consider that print is frequently removed from
sandboxes but string.format almost never is. Is it really desirable to
build that into a function that is frequently left in sandboxes
without any thoughtful consideration?

-- 
Patrick Donnelly