I've been working on a GUI for a while now, and I just came across the spawn command. It seems like a huge exploitable security hole. With it, any MUD can execute commands on my system with my privileges (providing I have auto-install scripts turned on, which, I believe, is the default).
Of course you should be able to trust the MUD you're playing on, don't pick shady servers, etc, etc. But it only takes one disgruntled MUD developer with privileges or one hacked server to be able to infect dozens, if not hundreds, of client machines.
I would personally really like io and spawn disabled, and have file reading done via an API to prevent reading files that shouldn't be read. Perhaps the best way of dealing with this is having the Lua VM completely sandboxed, so that the io library (and any others) can't access files outside of the plugin's directory, and the spawn function can only run pre-selected commands.
I want to share my GUI plugin with my friends who are still using mushclient, but I can't in good conscience tell them to use Mudlet. Except I just found out mushclient has similar exploitable features, so there's not really much more of a threat.
Disabling spawn(), io
Re: Disabling spawn(), io
Hmm, I have to agree that with server installed packages enabled this poses a big risk. While we're at it, saveMap() also poses some risk for file damage.
I have no idea how much work it takes to change the code so it safely handles access to those calls from server-installed packages though. Perhaps a reasonable quickfix would be to disable those calls alltogether when the "Allow server to install script packages" is ticked, making the functionality mutually exclusive.
How common is it for muds to use server-installed script packages? I'm only playing on an old-fashioned mud that don't use that function, so I disabled the option on my profile.
I have no idea how much work it takes to change the code so it safely handles access to those calls from server-installed packages though. Perhaps a reasonable quickfix would be to disable those calls alltogether when the "Allow server to install script packages" is ticked, making the functionality mutually exclusive.
How common is it for muds to use server-installed script packages? I'm only playing on an old-fashioned mud that don't use that function, so I disabled the option on my profile.
- SlySven
- Posts: 1023
- Joined: Mon Mar 04, 2013 3:40 pm
- Location: Deepest Wiltshire, UK
- Discord: SlySven#2703
Re: Disabling spawn(), io
Well the lua saveMap() function can only write a map file (which is NOT an executable format for any OS) in a location where the user has write permission - so, other than a DOS type attack that tries to fill up a file-system in order to deny use by other things where there will not, currently, be an indication of one or more successful file saves (I could ensure that there is always an in-the-main-console message when a map file is written) I think that is not a significant attack vector on a proper OS (that protects its system executables against being overwritten by a random program 8-P ).
As for the other issues with the standard (?) spawn and io modules I cannot really comment...
As for the other issues with the standard (?) spawn and io modules I cannot really comment...
Re: Disabling spawn(), io
I haven't studied saveMap(), but if you can write and save comments in the maps, the chances for exploits are pretty big. Any form of file access outside a sandbox or secure API is potentially exploitable. You don't even need to overwrite an executable file, only a file that gets executed. Such as a .bashrc or firefox plugin javascript file.
If you want to secure saveMap, the function should either only be able to save the map to the user's profile folder, or to a folder/filename previously selected through a fileDialog, but never allow it to choose a location on its own.
If you want to secure saveMap, the function should either only be able to save the map to the user's profile folder, or to a folder/filename previously selected through a fileDialog, but never allow it to choose a location on its own.
Re: Disabling spawn(), io
Yes, I agree it's not that dangerous for the system being infected by anything, but it's still a big annoyance if my documents are being replaced by mapfiles. Enough trouble to keep it in mind as a possibility anyway.SlySven wrote:Well the lua saveMap() function can only write a map file (which is NOT an executable format for any OS) in a location where the user has write permission
-
- Posts: 334
- Joined: Thu Mar 05, 2015 2:53 am
Re: Disabling spawn(), io
In my script, I include a #backup command for the end user. It reads the script datafiles written in the profile, and makes a backup/copy of them into an arbitrary user selected folder.Buck wrote:I would personally really like io and spawn disabled, and have file reading done via an API to prevent reading files that shouldn't be read.
Blocking io.* access altogether from functioning outside the profile folder would also prevent something like that from working for me. I would however consider my ability to do that a much higher risk then attempting to manipulate the mapfile format to have specific binary content.
- SlySven
- Posts: 1023
- Joined: Mon Mar 04, 2013 3:40 pm
- Location: Deepest Wiltshire, UK
- Discord: SlySven#2703
Re: Disabling spawn(), io
I think there can not be much done on this, because anything done like as listed in this item on Lua sandboxing, has the capability of breaking existing, (possibly insecure) scripts and Vadim will say strong things about anything that causes breaking of backwards compatibility...!
Re: Disabling spawn(), io
Breaking backwards compatibility is usually a bad idea and always a hassle, but you have to consider whether security is more important.
An alternative solution is to add sandboxing, enable it by default, but allow users to disable it to keep existing insecure scripts running.
An alternative solution is to add sandboxing, enable it by default, but allow users to disable it to keep existing insecure scripts running.
- SlySven
- Posts: 1023
- Joined: Mon Mar 04, 2013 3:40 pm
- Location: Deepest Wiltshire, UK
- Discord: SlySven#2703
Re: Disabling spawn(), io
I do not know enough about Lua to implement any form of sand-boxing.
On trying to read up on this, I have seen that some recommend running any untrusted script in a separate process and allowing the OS to apply the required restrictions and limitations as required rather than trying to do so within the lua interpreter.
On trying to read up on this, I have seen that some recommend running any untrusted script in a separate process and allowing the OS to apply the required restrictions and limitations as required rather than trying to do so within the lua interpreter.
Re: Disabling spawn(), io
I don't think spawn has ever worked, which is unfortunate - so we can get rid of it. Sandboxing io could be something to look at.
I understand this is a potential problem, but it's also a problem that I've never seen manifest in practice in the years of mudding. So take that as you will.
I understand this is a potential problem, but it's also a problem that I've never seen manifest in practice in the years of mudding. So take that as you will.