Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Jul 2018 10:41:40 +0200
From: Emilio Pozuelo Monfort <pochu27@...il.com>
To: oss-security@...ts.openwall.com, Iris Morelle <shadowm2006@...il.com>
Subject: Re: CVE request: Wesnoth arbitrary code
 execution/sandbox escape

On 20/07/18 03:13, Iris Morelle wrote:
> Hello,
> 
> We've found an issue in our software, "The Battle for Wesnoth", which allows 
> arbitrary code execution by exploiting a vulnerability within the Lua 
> scripting language engine which allows escaping existing sandbox measures in 
> place and executing untrusted bytecode.
> 
> We would like to have a CVE id assigned to this issue if possible.

Please request one by filling https://cveform.mitre.org and let this list know
the CVE id if/when you get one assigned.

Cheers,
Emilio

> 
> 
> Description:
> 
> The Wesnoth game engine uses the vanilla Lua programming language library to 
> implement most of its game scripting capabilities. Lua is able to execute 
> bytecode using its load(), loadfile(), loadstring(), dofile(), and require() 
> functions. Wesnoth in particular exposes load(), loadstring(), and two 
> wrappers for the former in the form of wesnoth.dofile() and wesnoth.require(), 
> without making sure to disable the ability to load and execute bytecode.
> 
> It has been documented [1] that it is possible to exploit the Lua load 
> functions to execute untrusted bytecode that can then bypass sandbox measures, 
> or even gain and abuse special knowledge about the process' memory layout.
> 
>   [1] https://gist.github.com/corsix/6575486
> 
> Wesnoth executes Lua code from untrusted local files either written by players 
> or downloaded through a player content distribution server, as well as from 
> data sent over the network in multiplayer games; thus this vulnerability is 
> rather severe as it can be exploited remotely by malicious parties without the 
> user's knowledge.
> 
> This issue was found by Daniel Dräger, a Wesnoth developer, and author of an 
> unmerged patch fixing it.
> 
> 
> Affected versions:
> 
> All existing versions of Wesnoth with the Lua scripting capability, i.e. 
> versions 1.7.0 through 1.14.3.
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.