Malicous Metamethod hooks #125
TheDarkThief
started this conversation in
New Level Proposals
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Language
Lua 🌔
Vulnerability
When accessing a table the _index method is called, this can be set to a malicious function allowing for remote code execution
Scenario
Your company sells low powered E-ink displays powered by a small embedded system. They are called E-Boards, because they are so weak they send a request to the server with the RSS feeds the user has configured; the server proceeds to generate a bitmap image and returns the request to the board which will eventually display the images to the user.
The API request looks like this:
{{source:"<link to RSS feed>", image: nil},{source:"<link to RSS feed>", image: nil}}and it excepts the following return
{{source:"<link to RSS feed>", image: "<bitmap image>"},{source:"<link to RSS feed>", image: "<bitmap image>"}}Unfortunately, whoever created this function forgot that metatables exist in Lua and it allows a malicious hacker to have remote code execution if one does not handle tables correctly.
Beta Was this translation helpful? Give feedback.
All reactions