Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2222700.WJvhPnAmYh@hanacore>
Date: Thu, 19 Jul 2018 21:13:42 -0400
From: Iris Morelle <shadowm2006@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Wesnoth arbitrary code execution/sandbox escape

Hello,

We've found an issue in our software, "The Battle for Wesnoth", which allows 
arbitrary code execution by exploiting a vulnerability within the Lua 
scripting language engine which allows escaping existing sandbox measures in 
place and executing untrusted bytecode.

We would like to have a CVE id assigned to this issue if possible.


Description:

The Wesnoth game engine uses the vanilla Lua programming language library to 
implement most of its game scripting capabilities. Lua is able to execute 
bytecode using its load(), loadfile(), loadstring(), dofile(), and require() 
functions. Wesnoth in particular exposes load(), loadstring(), and two 
wrappers for the former in the form of wesnoth.dofile() and wesnoth.require(), 
without making sure to disable the ability to load and execute bytecode.

It has been documented [1] that it is possible to exploit the Lua load 
functions to execute untrusted bytecode that can then bypass sandbox measures, 
or even gain and abuse special knowledge about the process' memory layout.

  [1] https://gist.github.com/corsix/6575486

Wesnoth executes Lua code from untrusted local files either written by players 
or downloaded through a player content distribution server, as well as from 
data sent over the network in multiplayer games; thus this vulnerability is 
rather severe as it can be exploited remotely by malicious parties without the 
user's knowledge.

This issue was found by Daniel Dräger, a Wesnoth developer, and author of an 
unmerged patch fixing it.


Affected versions:

All existing versions of Wesnoth with the Lua scripting capability, i.e. 
versions 1.7.0 through 1.14.3.

-- 
Regards
  Iris Morelle, Wesnoth developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.