View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001348 | Spring engine | Lua | public | 2009-02-20 23:46 | 2009-08-22 18:34 |
| Reporter | Auswaschbar | Assigned To | Auswaschbar | ||
| Priority | high | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 0.78.2.1+git | ||||
| Fixed in Version | 0.78.2.1+git | ||||
| Summary | 0001348: Lua-widgets can seriously harm your system | ||||
| Description | See forum topic http://spring.clan-sy.com/phpbb/viewtopic.php?f=12&t=17861 Suggested fix: [23:34:20] <trepan@IRC> my suggestion would be to setup the SpringRTS lua environments the way i've done for bzflag [23:34:44] <trepan@IRC> remove the 'io' and 'package' libraries, along with most of the 'os' library [23:35:08] <trepan@IRC> (and rely on VFS for i/o) [23:35:14] <trepan@IRC> also, remove dofile() and loadfile() | ||||
| Tags | No tags attached. | ||||
| Checked infolog.txt for Errors | |||||
|
|
How feasable is it to block the writing of executable file extensions on windows? Will require() load a dll under any name? We could patch it not to. Because there are legitimate uses to load C modules, and if you just block io and package you can still write malicious exe files all over a windows spring install. springsettings.exe anyone? |
|
|
Not much: - unzip BA - add malicious library + script - add 0.1 to version nubmer - zip - register to torrent system - make an autohost use it ... - profit |
|
|
i'm not entirely sure that the extension makes any difference to dlopen/LoadLibrary. what _could_ work is check if the lua tries to write a PE header (or opens a file with a PE header for appending, so writing byte-for-byte doesn't work.) this also needs to be checked on file close, so you can't write the file in a cleverly split two parts. |
|
|
I applied the patch by trepan to close the hole for now. If you find a better way of doing this, make patch. |
|
|
Maybe next time I shouldn't include a demo if a ticket's going to get closed when only one vector of attack is fixed. Some others: 1. lua can write out a malicious binary to somewhere such as springsettings.exe 2. lua can call ExtractModArchiveFile on a malicious binary named something such as springsettings.exe Imo we need to block lua from writing executable files. Once that is done, I would prefer that we reenable package. |
|
|
Fix for both is already in the engine, but not enabled by default: Change springwriting path to somewhere else than spring install dir, like e.g. "My Documents". Beside that, running spring with admin rights is a TASClient bug (or usrs mistake, if he turned UAC off). |
|
|
I don't care about root access as much as I care about all my data files. And do you honestly think it's a good idea to still let widgets write malicious executables all over the SpringData directory? infolog.txt.exe, a phony spring.exe, think of all the havoc you can cause. And in the end, I really do want user-approved libraries that spring can load. |
|
|
I don't. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2009-02-20 23:46 | Auswaschbar | New Issue | |
| 2009-02-21 22:33 | lurker | Note Added: 0003309 | |
| 2009-02-22 10:59 | Auswaschbar | Note Added: 0003310 | |
| 2009-02-22 13:01 | imbaczek | Note Added: 0003311 | |
| 2009-02-23 12:01 | Auswaschbar | Note Added: 0003312 | |
| 2009-02-23 12:01 | Auswaschbar | Status | new => resolved |
| 2009-02-23 12:01 | Auswaschbar | Fixed in Version | => 0.78.2.1+git |
| 2009-02-23 12:01 | Auswaschbar | Resolution | open => fixed |
| 2009-02-23 12:01 | Auswaschbar | Assigned To | => Auswaschbar |
| 2009-02-24 05:26 | lurker | Assigned To | Auswaschbar => |
| 2009-02-24 05:26 | lurker | Note Added: 0003314 | |
| 2009-02-24 05:26 | lurker | Status | resolved => new |
| 2009-02-24 05:26 | lurker | Resolution | fixed => reopened |
| 2009-02-24 05:27 | lurker | Note Edited: 0003314 | |
| 2009-02-24 11:19 | Auswaschbar | Note Added: 0003315 | |
| 2009-02-24 17:29 | lurker | Note Added: 0003316 | |
| 2009-08-22 18:06 | tvo | Category | Unit Scripting => Lua |
| 2009-08-22 18:34 | Auswaschbar | Note Added: 0003971 | |
| 2009-08-22 18:34 | Auswaschbar | Status | new => resolved |
| 2009-08-22 18:34 | Auswaschbar | Resolution | reopened => fixed |
| 2009-08-22 18:34 | Auswaschbar | Assigned To | => Auswaschbar |
