lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]




On Fri, Jul 5, 2019 at 6:51 PM Sean Conner <sean@conman.org> wrote:
It was thus said that the Great Coda Highland once stated:
> On Fri, Jul 5, 2019 at 4:56 PM Sean Conner <sean@conman.org> wrote:
>
> > It was thus said that the Great Patrick Donnelly once stated:
> >
> > > But, ASLR can't help if the scripting language voluntarily
> > > gives away this information (the address location of the heap or
> > > strings) to scripts.
> >
> >   Please, I implore you, *give a proof-of-concept* here, because otherwise
> > it's a pointless change because of cargo cult understanding of attacks.

  [ Mention of Webkit exploits deleted because it's Webkit, NOT Lua]

  [ Mention of ROP and ASLR deleted because it's been mentioned before]

> This means that one of the first things that an exploit is going to need to
> do is discover an address to a known data structure, and then it can start
> computing offsets from there. In Lua, one of the best options available
> would be the string metatable, because it contains pointers to native-code
> functions baked into the binary.
>
> On any reasonably secure platform, this is difficult. Usually you have to
> exploit a buffer overflow or a use-after-free or some similar technique in
> order to trick the program into writing the address somewhere you can
> access. But if you can just say "hey, interpreter, could you please tell me
> the address of string.concat?" and it comes back with "you seem like a fine
> gentleprogram, here you go!" then you've just skipped the hardest part of
> kicking off an exploit chain.

  Sigh.

  Okay, how about a proof-of-concept *written in Lua*, text only (because
precompiled Lua code is dangerous, there are proof-of-concepts of that) that
will execute arbitrary code, just from an address one can get from
tostring() or string.format("%p") (both will return an address, so obviously
tostring() must go, right?).

  -spc (I keep asking for a "proof-of-concept" but I keep getting "here's
        how it *could* be done".  I'm sorry, I want to "see it" being done.
        It should be trivial in Lua given an actual address, right?)


You asked for a proof of concept so I referenced one illustrating the general technique that's beyond just proof-of-concept level to full productionization. You didn't explicitly specify "in Lua" before now.

If I had a proof of concept of a critical security flaw in Lua, I would be submitting a patch for it. The concern isn't about the bugs that the good guys can find. It's a practice of defense-in-depth, so that if a heretofore unknown bug is discovered then the damage it can deal is limited. There is of course the cost-benefit analysis to consider, so it wouldn't be worth hobbling the entire Lua VM for an obscure hypothetical vulnerability, but disabling a trivial way to crack ASLR has a pretty tiny cost.

And as an aside to the previous poster: To be honest, while crashing is a nasty opportunity for denial of service, it's the bugs that DON'T crash the program that are far more damaging.

/s/ Adam