lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Fri, Jul 5, 2019 at 4:56 PM Sean Conner <sean@conman.org> wrote:
It was thus said that the Great Patrick Donnelly once stated:

> But, ASLR can't help if the scripting language voluntarily
> gives away this information (the address location of the heap or
> strings) to scripts.

  Please, I implore you, *give a proof-of-concept* here, because otherwise
it's a pointless change because of cargo cult understanding of attacks.

You need look no further than any of the various Webkit exploits that have been used for breaking game console security. The hacking community sometimes does interesting write-ups describing the steps necessary to get code running on a given platform.
 
If you want to run native code without permission, you have to trick the CPU into jumping to memory you control. The typical procedure these days is to use what's called "return-oriented programming" because the return stack is the only thing that can arbitrarily impact program flow that's also writable memory. It's easy enough to trigger a crash this way, but if you want a ROP to do anything useful, you need to know the address of useful code, and ASLR thwarts the obvious ways of doing this.

This means that one of the first things that an exploit is going to need to do is discover an address to a known data structure, and then it can start computing offsets from there. In Lua, one of the best options available would be the string metatable, because it contains pointers to native-code functions baked into the binary.

On any reasonably secure platform, this is difficult. Usually you have to exploit a buffer overflow or a use-after-free or some similar technique in order to trick the program into writing the address somewhere you can access. But if you can just say "hey, interpreter, could you please tell me the address of string.concat?" and it comes back with "you seem like a fine gentleprogram, here you go!" then you've just skipped the hardest part of kicking off an exploit chain.

/s/ Adam