lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

It was thus said that the Great Patrick Donnelly once stated:
> On Wed, Jul 3, 2019 at 6:51 AM Roberto Ierusalimschy
> <> wrote:
> >
> > 2) After your explanations, I still fail to see how this is a
> > "footstool". If we assume poorly written libraries, anything
> > can be dangerous.
> It's dangerous for the same reasons that a static starting address for
> the stack is. 

  Most C compilers will use the system stack for both return addresses
(because that's inherent to a CALL instruction) and parameters to a
function.  Separate the two---have a separate "return stack" and "data
stack" and this becomes harder to exploit (Forth does this).  There's
nothing in the C standard that mandates only one stack.

> There are classic hacks that utilize the known address
> location of an environment variable 

  If an attacker can modify the environment variables (like $HOME) then you
have more problems than just the attack itself.

> at the beginning of a stack 

  An implementation detail.  There are operating systems out there that have
environment variables elsewhere.

> to
> implement return-to-libc attacks with shellcode in the environment
> variable. Since then, mitigations like ASLR have made this more
> difficult.

  And it has made debugging production issues harder as well, because stack
dumps are now worthless, and of *course* you are running stripped binaries
because *not* doing so leaks information and ...

> But, ASLR can't help if the scripting language voluntarily
> gives away this information (the address location of the heap or
> strings) to scripts.

  Please, I implore you, *give a proof-of-concept* here, because otherwise
it's a pointless change because of cargo cult understanding of attacks.

> > 3) If you really think this is dangerous, it just got worse :-)
> >
> >   $ lua
> >   Lua 5.4.0  Copyright (C) 1994-2019, PUC-Rio
> >   > string.format("%p", {})
> >   0x2108f70
> Or more pointedly:
> lua -e 'function f(s) print(string.format("%p", s)) end f"" f{}
> f(("1"):rep(1e3))'
> 0x5606b34f1fb0
> 0x5606b34f4190
> 0x5606b34f47b0
> As I said, I'm not an expert in this area so maybe I'm just raising
> alarm about something not considered a serious problem.

  I think you are.