Re: CorsixTH issue
48 views
Skip to first unread message
Stephen E. Baker
Jun 17, 2016, 4:49:49 PM6/17/16
to Kim Alvefur, corsix...@googlegroups.com
Thank you Kim,
I hadn't actually closely looked at this code before. It's basically
using eval on code fetched over the wire, without even TLS to protect
against MITM attacks. I agree that this is a very serious vulnerability
(potentially a remote code execution exploit with all the permissions of
the user).
I suggest that ASAP we release a 0.61 release without the update check
feature, and try to reach people to disable the update check in the mean
time, until we can write a version that does not execute the fetched result.
Stephen E. Baker
On 6/17/2016 4:21 PM, Kim Alvefur wrote:
> Hi!
>
> I saw your LuaSocket bug, and had a look at the code linked.
>
> This caught my eye:
>
> https://github.com/CorsixTH/CorsixTH/blob/9db5dff113ece05dbe5d1859a39d48b820b9c90e/CorsixTH/Lua/app.lua#L1423-L1456
>
> It looks like it is downloading Lua code over HTTP and executing it.
> That's pretty bad, even if loaded into an empty environment, especially
> as it does not disallow bytecode.
>
I hadn't actually closely looked at this code before. It's basically
using eval on code fetched over the wire, without even TLS to protect
against MITM attacks. I agree that this is a very serious vulnerability
(potentially a remote code execution exploit with all the permissions of
the user).
I suggest that ASAP we release a 0.61 release without the update check
feature, and try to reach people to disable the update check in the mean
time, until we can write a version that does not execute the fetched result.
Stephen E. Baker
On 6/17/2016 4:21 PM, Kim Alvefur wrote:
> Hi!
>
> I saw your LuaSocket bug, and had a look at the code linked.
>
> This caught my eye:
>
> https://github.com/CorsixTH/CorsixTH/blob/9db5dff113ece05dbe5d1859a39d48b820b9c90e/CorsixTH/Lua/app.lua#L1423-L1456
>
> It looks like it is downloading Lua code over HTTP and executing it.
> That's pretty bad, even if loaded into an empty environment, especially
> as it does not disallow bytecode.
>
Edwin Smulders
Jun 17, 2016, 4:53:34 PM6/17/16
to corsix...@googlegroups.com, Kim Alvefur
Hi Stephen,
How do you imagine an updater working if you do not execute anything it downloads?
--
You received this message because you are subscribed to the Google Groups "CorsixTH Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to corsix-th-de...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Stephen E. Baker
Jun 17, 2016, 5:38:33 PM6/17/16
to corsix...@googlegroups.com
It just sends a version number, link, and change log. We can pull that info out by reading the string. Even simpler if instead of a table we used a delimited file like:
0.60\n list of changes.
The download link itself should be tls. I don't see the value in sending it over the wire myself. As is it just redirects to https://github.com/CorsixTH/CorsixTH/releases
Edwin Smulders
Jun 17, 2016, 5:45:23 PM6/17/16
to corsix...@googlegroups.com
Yep, I agree. For the rest of the people (Stephen just explained this to me on IRC) the current approach downloads a lua table containing some version information and evals it. I was under the impression it downloaded the update, so my bad there.
I think it's fine that the download link is embedded in the application. The update check might still go over TLS because let's encrypt is easy and free these days, but not really important for just the check.Reply all
Reply to author
Forward
0 new messages