|
Message-ID: <4494606.3KQYZIffxk@chimera>
Date: Fri, 06 Nov 2015 10:37:19 +0100
From: Luca Bruno <lucab@...ian.org>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Review+CVE request: multiple issues in redis EVAL command (lua sandbox)
Hi,
after earlier disclosure to (antirez) redis author, and upon agreement with him,
I've just reported via github three issues related to the redis EVAL command
and its LUA sandbox.
Those include:
* sandbox subverting via global environment manipulation
* crash via assertion hitting (related to the above issue)
* integer overflow / stack-based buffer overflow in embedded lua_struct.c
I would like to get some review/feedback on those, and (if deemed worthy)
CVEs assigned.
For some background, [0] was the public part of the discussion and [1] a recent
post by upstream author on redis security (his post came just after private
reporting).
[0] https://www.reddit.com/r/redis/comments/3rby8c/a_few_things_about_redis_security/cwnz6qi
[1] http://antirez.com/news/96
For detailed reference, these are the issues reported:
1) Ineffective whitelisting allows for global environment manipulation
+ https://github.com/antirez/redis/issues/2854
Redis lua sandbox is whitelist-based, and some of the exposed functions
allow for global environment manipulation. This make easier to bypass parts
of the sandbox (eg. the "strict lua" mode) and to cause other internal
state de-sync.
2) Reliable remote crash via assertion hitting
+ https://github.com/antirez/redis/issues/2853
Manipulating the lua global environment, it is possible to de-sync lua/redis
internal state, and reliably trigger a DoS/crash by hitting an assertion.
Reproducer attached to the bug report.
3) Integer overflow (leading to stack-based buffer overflow) in embedded lua_struct.c
+ https://github.com/antirez/redis/issues/2855
Input parsing code in lua_struct.c suffers of Integer Overflow and
int/size_t confusion, allowing for crafted EVAL command to trigger a stack-based
buffer overflow with (limited) user-controlled writes.
Reproducer attached to the bug report.
Ciao, Luca
--
Luca Bruno (kaeso)
Security Engineer
Rocket Internet SE
-> GPG: 0xBB1A3A854F3BBEBF
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.