Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 06 Nov 2015 10:37:19 +0100
From: Luca Bruno <lucab@...ian.org>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Review+CVE request: multiple issues in redis EVAL command (lua sandbox)

Hi,
after earlier disclosure to (antirez) redis author, and upon agreement with him,
I've just reported via github three issues related to the redis EVAL command 
and its LUA sandbox.
Those include:
 * sandbox subverting via global environment manipulation
 * crash via assertion hitting (related to the above issue)
 * integer overflow / stack-based buffer overflow in embedded lua_struct.c

I would like to get some review/feedback on those, and (if deemed worthy)
CVEs assigned.
For some background, [0] was the public part of the discussion and [1] a recent
post by upstream author on redis security (his post came just after private
reporting).
[0] https://www.reddit.com/r/redis/comments/3rby8c/a_few_things_about_redis_security/cwnz6qi
[1] http://antirez.com/news/96

For detailed reference, these are the issues reported:

1) Ineffective whitelisting allows for global environment manipulation
   + https://github.com/antirez/redis/issues/2854

   Redis lua sandbox is whitelist-based, and some of the exposed functions
   allow for global environment manipulation. This make easier to bypass parts
   of the sandbox (eg. the "strict lua" mode) and to cause other internal
   state de-sync.

2) Reliable remote crash via assertion hitting
   + https://github.com/antirez/redis/issues/2853

   Manipulating the lua global environment, it is possible to de-sync lua/redis
   internal state, and reliably trigger a DoS/crash by hitting an assertion.
   Reproducer attached to the bug report.

3) Integer overflow (leading to stack-based buffer overflow) in embedded lua_struct.c
   + https://github.com/antirez/redis/issues/2855

   Input parsing code in lua_struct.c suffers of Integer Overflow and
   int/size_t confusion, allowing for crafted EVAL command to trigger a stack-based
   buffer overflow with (limited) user-controlled writes.
   Reproducer attached to the bug report.

Ciao, Luca

-- 
Luca Bruno (kaeso)
 Security Engineer
 Rocket Internet SE
 -> GPG: 0xBB1A3A854F3BBEBF


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.