How to Report
If you find a new vulnerability from Lua, you can report it, but how? This post would be helpful to those who are trying to report Lua vulnerabilities.
0-day exploitable vulnerability in Lua interpreter
Although many crashes were generated from our fuzzer, not all of them were exploitable. Actually, most of them were just trivial bugs. However, we found an exploitable use-after-free crash. This crash happens during garbage collection in Lua. In this post, we show how the newest Lua interpreter is exploitable(i.e. executing /bin/sh).
Applying to Host Programs
We selected ten widely-used host programs that use Lua script for plugins. Although we cannot show names of the host programs chosen, we basically used similar methods to apply our vulnerabilities.
Vulnerability Analysis
With tools and knowledge prepared, we had excavated several vulnerabilities in Lua. In this post, you can figure out discussions we had made in Lua-l. As Lua is open-source language, you can see lots of people giving their opinions about our analysis.
Code Auditing
Code auditing is literally analyzing codes to find software vulnerabilities. Lua is an open-source language, so we can audit code by inspecting C codes that consist Lua. While analyzing crash files, we often had hard time understanding some logics. Those kinds of crash were generated during garbage collection process. In order to fully grasp root cause of the crash, we audited garbage collection related codes in Lua.
Analyzing Crash Files
From the implemented fuzzer, thousands of crash files were generated. Since we are just a small team and we had limited time for this project, we needed some strategy to classify our crash files. Also, as crash files were .lua script files, we spent much time on analyzing root cause of crash files. We believe this post would be helpful to those who are trying to analyze lua script that causes crash on Lua interprerter.
Fuzzing Lua Interpreter
Nowadays, as application programs have lots of feature, it is not easy to find vulnerabilities by simply analyzing codes or binaries. Fuzzing can be an efficient way of finding software vulnerabilities. However, there was no fuzzer that targeted Lua. We needed to implement our own Lua fuzzer. Thorugh trial and error, we developed a fuzzer that aims at Lua interpreter. It was not an easy task. We hope some readers to improve our fuzzer to discover hidden vulnerabilities in Lua!
Previous Vulnerabilites
We started our security research on Lua by analyzing1-day vulnerabilites. Case studying previous vulnerabilites may be helpful to excavate new vulnerabilites. Specifically, we reviewed sandbox escape vulnerability in Lua v5.2, and previous CVEs related Lua.
What is Lua?
So, what is Lua? Lua is a lightweight, embeddable scripting language. For detailed information, we recommend you to refer official website of Lua and “Programming in Lua”. Although some of you might not heard about Lua, it is actually embedded on many famous host programs to support scripting. In this post, we will explain major attributes of Lua and give real examples of host programs that use Lua.
Introduction
Hi, we are students from Korea, and are interested in cybersecurity. We belong to BoB(Best of the Best) which is a government supported 8-month program that trains passionate students to become cybersecurity experts. You can find more information about BoB from the link below.