Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Jul 2018 10:41:40 +0200
From: Emilio Pozuelo Monfort <pochu27@...il.com>
To: oss-security@...ts.openwall.com, Iris Morelle <shadowm2006@...il.com>
Subject: Re: CVE request: Wesnoth arbitrary code
 execution/sandbox escape

On 20/07/18 03:13, Iris Morelle wrote:
> Hello,
> 
> We've found an issue in our software, "The Battle for Wesnoth", which allows 
> arbitrary code execution by exploiting a vulnerability within the Lua 
> scripting language engine which allows escaping existing sandbox measures in 
> place and executing untrusted bytecode.
> 
> We would like to have a CVE id assigned to this issue if possible.

Please request one by filling https://cveform.mitre.org and let this list know
the CVE id if/when you get one assigned.

Cheers,
Emilio

> 
> 
> Description:
> 
> The Wesnoth game engine uses the vanilla Lua programming language library to 
> implement most of its game scripting capabilities. Lua is able to execute 
> bytecode using its load(), loadfile(), loadstring(), dofile(), and require() 
> functions. Wesnoth in particular exposes load(), loadstring(), and two 
> wrappers for the former in the form of wesnoth.dofile() and wesnoth.require(), 
> without making sure to disable the ability to load and execute bytecode.
> 
> It has been documented [1] that it is possible to exploit the Lua load 
> functions to execute untrusted bytecode that can then bypass sandbox measures, 
> or even gain and abuse special knowledge about the process' memory layout.
> 
>   [1] https://gist.github.com/corsix/6575486
> 
> Wesnoth executes Lua code from untrusted local files either written by players 
> or downloaded through a player content distribution server, as well as from 
> data sent over the network in multiplayer games; thus this vulnerability is 
> rather severe as it can be exploited remotely by malicious parties without the 
> user's knowledge.
> 
> This issue was found by Daniel Dräger, a Wesnoth developer, and author of an 
> unmerged patch fixing it.
> 
> 
> Affected versions:
> 
> All existing versions of Wesnoth with the Lua scripting capability, i.e. 
> versions 1.7.0 through 1.14.3.
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ