Date: Fri, 06 Nov 2015 10:37:19 +0100 From: Luca Bruno <lucab@...ian.org> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Review+CVE request: multiple issues in redis EVAL command (lua sandbox) Hi, after earlier disclosure to (antirez) redis author, and upon agreement with him, I've just reported via github three issues related to the redis EVAL command and its LUA sandbox. Those include: * sandbox subverting via global environment manipulation * crash via assertion hitting (related to the above issue) * integer overflow / stack-based buffer overflow in embedded lua_struct.c I would like to get some review/feedback on those, and (if deemed worthy) CVEs assigned. For some background,  was the public part of the discussion and  a recent post by upstream author on redis security (his post came just after private reporting).  https://www.reddit.com/r/redis/comments/3rby8c/a_few_things_about_redis_security/cwnz6qi  http://antirez.com/news/96 For detailed reference, these are the issues reported: 1) Ineffective whitelisting allows for global environment manipulation + https://github.com/antirez/redis/issues/2854 Redis lua sandbox is whitelist-based, and some of the exposed functions allow for global environment manipulation. This make easier to bypass parts of the sandbox (eg. the "strict lua" mode) and to cause other internal state de-sync. 2) Reliable remote crash via assertion hitting + https://github.com/antirez/redis/issues/2853 Manipulating the lua global environment, it is possible to de-sync lua/redis internal state, and reliably trigger a DoS/crash by hitting an assertion. Reproducer attached to the bug report. 3) Integer overflow (leading to stack-based buffer overflow) in embedded lua_struct.c + https://github.com/antirez/redis/issues/2855 Input parsing code in lua_struct.c suffers of Integer Overflow and int/size_t confusion, allowing for crafted EVAL command to trigger a stack-based buffer overflow with (limited) user-controlled writes. Reproducer attached to the bug report. Ciao, Luca -- Luca Bruno (kaeso) Security Engineer Rocket Internet SE -> GPG: 0xBB1A3A854F3BBEBF Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ