lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

It was thus said that the Great Coda Highland once stated:
> On Fri, Jul 5, 2019 at 6:51 PM Sean Conner <sean@conman.org> wrote:
> 
> >   Okay, how about a proof-of-concept *written in Lua*, text only (because
> > precompiled Lua code is dangerous, there are proof-of-concepts of that)
> > that
> > will execute arbitrary code, just from an address one can get from
> > tostring() or string.format("%p") (both will return an address, so
> > obviously
> > tostring() must go, right?).
> >
> >   -spc (I keep asking for a "proof-of-concept" but I keep getting "here's
> >         how it *could* be done".  I'm sorry, I want to "see it" being done.
> >         It should be trivial in Lua given an actual address, right?)
> >
> You asked for a proof of concept so I referenced one illustrating the
> general technique that's beyond just proof-of-concept level to full
> productionization. You didn't explicitly specify "in Lua" before now.

  I thought that was clear from the context (this mailing list being about
Lua, and the topic of getting address information from Lua leading to OMG
Armageddon! but I probably should have been more explicit about it).

> If I had a proof of concept of a critical security flaw in Lua, I would be
> submitting a patch for it. The concern isn't about the bugs that the good
> guys can find. It's a practice of defense-in-depth, so that if a heretofore
> unknown bug is discovered then the damage it can deal is limited.

  Okay, so was this *ever* brought up about tostring()?  Because:

[spc]lucy:/tmp>lua-51
Lua 5.1.5  Copyright (C) 1994-2012 Lua.org, PUC-Rio
> print(print)
function: 0x8ff9020
> 
[spc]lucy:/tmp>lua-52
Lua 5.2.4  Copyright (C) 1994-2015 Lua.org, PUC-Rio
> print(print)
function: 0x805c804
> 
[spc]lucy:/tmp>lua-53
Lua 5.3.5  Copyright (C) 1994-2018 Lua.org, PUC-Rio
> print(print)
function: 0x805f3f8
> 
[spc]lucy:/tmp>lua-54
Lua 5.4.0  Copyright (C) 1994-2019 Lua.org, PUC-Rio
> print(print)
function: 0x8063954
> 
[spc]lucy:/tmp>

  It goes back a @#%@!#$@#$ long way, and only NOW are people freaking out
about it because string.format() got a "%p" format specifier?  I would
expect that if there was an issue about obtaining an address, it would have
shown itself in the past, oh, thirteen years or so.  It's not like ASLR
wasn't known back then (hint---it was).

  But so far, all I've seen is "OMG! ASLR is VIOLATED!  Burn the feature!"
which to me comes across as cargo cult security, of which I seem to be in
the minority.  So let's neuter both tostring() and string.format() to save
ASLR!

  -spc (And request, nay!  Demand!  That all modules in C avoid printing an
	address as part of the __tostring() metamethod ...)