[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: tostring userdata
- From: Patrick Donnelly <batrick@...>
- Date: Tue, 2 Jul 2019 22:21:25 -0700
It was thus said that the Great Patrick Donnelly once stated:
> On Sun, Jun 30, 2019, 9:42 AM Andrew Gierth <firstname.lastname@example.org>
> > >>>>> "Tom" == Tom Sutcliffe <email@example.com> writes:
> > Tom> I've tracked this down to the fact that the test - not the
> > Tom> production code :) - was relying on the tostring representation of
> > Tom> a full userdata 0xABCD being the same as the lightuserdata
> > Tom> representation of the same pointer - they were both "userdata:
> > Tom> 0x1234" on 5.3
> > er... no?
> > In 5.3, the tostring representation of something that's not a number,
> > string, boolean or nil and which has no __tostring metamethod is:
> > lua_pushfstring(L, "%s: %p", kind, lua_topointer(L, idx));
> > where "kind" is the value of the __name metafield if it exists and is a
> > string, and is the luaL_typename of the original value otherwise.
> While we are on this subject, giving Lua scripts access to the pointer
> address to something in memory is a needless footstool to breaking out of a
> sandbox and potentially taking over an application.
I'd like to see a proof-of-concept before I worry about that. I mean, I
can always do
x = 0xcbc5c0
which *is* a valid address on a running instance of Lua on my system. Or
0xb7d7f000 or 0x00cbe040 or any number of other values.
I'm not talking about numbers of course. If you have knowledge of the addresses to userdata then you can use that to write assembly code referencing that address to execute code. That's assuming you can write arbitrary data in the userdata (not at all uncommon) and that you have an attack vector to cause that code to be executed (maybe possible with poorly written libraries). I nearly got far enough to do this in WoW back in the day when I was breaking any sandbox I could find. At the time, I was trying to exploit getting access to the Lua registry  which gave access to some interesting WoW internals. I don't recall exact details.
-spc (And no, loading a special C module to exploit this won't cut it)
Why not? A Lua sandbox in some application presumably has some C modules which may be quite... special. :)