oss-sec mailing list archives
Review+CVE request: multiple issues in redis EVAL command (lua sandbox)
From: Luca Bruno <lucab () debian org>
Date: Fri, 06 Nov 2015 10:37:19 +0100
Hi, after earlier disclosure to (antirez) redis author, and upon agreement with him, I've just reported via github three issues related to the redis EVAL command and its LUA sandbox. Those include: * sandbox subverting via global environment manipulation * crash via assertion hitting (related to the above issue) * integer overflow / stack-based buffer overflow in embedded lua_struct.c I would like to get some review/feedback on those, and (if deemed worthy) CVEs assigned. For some background, [0] was the public part of the discussion and [1] a recent post by upstream author on redis security (his post came just after private reporting). [0] https://www.reddit.com/r/redis/comments/3rby8c/a_few_things_about_redis_security/cwnz6qi [1] http://antirez.com/news/96 For detailed reference, these are the issues reported: 1) Ineffective whitelisting allows for global environment manipulation + https://github.com/antirez/redis/issues/2854 Redis lua sandbox is whitelist-based, and some of the exposed functions allow for global environment manipulation. This make easier to bypass parts of the sandbox (eg. the "strict lua" mode) and to cause other internal state de-sync. 2) Reliable remote crash via assertion hitting + https://github.com/antirez/redis/issues/2853 Manipulating the lua global environment, it is possible to de-sync lua/redis internal state, and reliably trigger a DoS/crash by hitting an assertion. Reproducer attached to the bug report. 3) Integer overflow (leading to stack-based buffer overflow) in embedded lua_struct.c + https://github.com/antirez/redis/issues/2855 Input parsing code in lua_struct.c suffers of Integer Overflow and int/size_t confusion, allowing for crafted EVAL command to trigger a stack-based buffer overflow with (limited) user-controlled writes. Reproducer attached to the bug report. Ciao, Luca -- Luca Bruno (kaeso) Security Engineer Rocket Internet SE -> GPG: 0xBB1A3A854F3BBEBF
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Review+CVE request: multiple issues in redis EVAL command (lua sandbox) Luca Bruno (Nov 06)
- Re: Review+CVE request: multiple issues in redis EVAL command (lua sandbox) cve-assign (Nov 06)
- Re: Re: Review+CVE request: multiple issues in redis EVAL command (lua sandbox) Luca Bruno (Nov 06)
- Re: Review+CVE request: multiple issues in redis EVAL command (lua sandbox) cve-assign (Nov 06)