Disabling spawn(), io

Buck
Posts: 19
Joined: Tue Aug 30, 2016 8:11 pm

Disabling spawn(), io

Post by Buck »

I've been working on a GUI for a while now, and I just came across the spawn command. It seems like a huge exploitable security hole. With it, any MUD can execute commands on my system with my privileges (providing I have auto-install scripts turned on, which, I believe, is the default).

Of course you should be able to trust the MUD you're playing on, don't pick shady servers, etc, etc. But it only takes one disgruntled MUD developer with privileges or one hacked server to be able to infect dozens, if not hundreds, of client machines.

I would personally really like io and spawn disabled, and have file reading done via an API to prevent reading files that shouldn't be read. Perhaps the best way of dealing with this is having the Lua VM completely sandboxed, so that the io library (and any others) can't access files outside of the plugin's directory, and the spawn function can only run pre-selected commands.

I want to share my GUI plugin with my friends who are still using mushclient, but I can't in good conscience tell them to use Mudlet. Except I just found out mushclient has similar exploitable features, so there's not really much more of a threat.

chrio
Posts: 66
Joined: Mon Aug 22, 2016 11:34 am

Re: Disabling spawn(), io

Post by chrio »

Hmm, I have to agree that with server installed packages enabled this poses a big risk. While we're at it, saveMap() also poses some risk for file damage.

I have no idea how much work it takes to change the code so it safely handles access to those calls from server-installed packages though. Perhaps a reasonable quickfix would be to disable those calls alltogether when the "Allow server to install script packages" is ticked, making the functionality mutually exclusive.

How common is it for muds to use server-installed script packages? I'm only playing on an old-fashioned mud that don't use that function, so I disabled the option on my profile.

User avatar
SlySven
Posts: 935
Joined: Mon Mar 04, 2013 3:40 pm
Location: Deepest Wiltshire, UK
Discord: SlySven#2703

Re: Disabling spawn(), io

Post by SlySven »

Well the lua saveMap() function can only write a map file (which is NOT an executable format for any OS) in a location where the user has write permission - so, other than a DOS type attack that tries to fill up a file-system in order to deny use by other things where there will not, currently, be an indication of one or more successful file saves (I could ensure that there is always an in-the-main-console message when a map file is written) I think that is not a significant attack vector on a proper OS (that protects its system executables against being overwritten by a random program 8-P ).

As for the other issues with the standard (?) spawn and io modules I cannot really comment...

Buck
Posts: 19
Joined: Tue Aug 30, 2016 8:11 pm

Re: Disabling spawn(), io

Post by Buck »

I haven't studied saveMap(), but if you can write and save comments in the maps, the chances for exploits are pretty big. Any form of file access outside a sandbox or secure API is potentially exploitable. You don't even need to overwrite an executable file, only a file that gets executed. Such as a .bashrc or firefox plugin javascript file.

If you want to secure saveMap, the function should either only be able to save the map to the user's profile folder, or to a folder/filename previously selected through a fileDialog, but never allow it to choose a location on its own.

chrio
Posts: 66
Joined: Mon Aug 22, 2016 11:34 am

Re: Disabling spawn(), io

Post by chrio »

SlySven wrote:Well the lua saveMap() function can only write a map file (which is NOT an executable format for any OS) in a location where the user has write permission
Yes, I agree it's not that dangerous for the system being infected by anything, but it's still a big annoyance if my documents are being replaced by mapfiles. Enough trouble to keep it in mind as a possibility anyway. :)

Nyyrazzilyss
Posts: 334
Joined: Thu Mar 05, 2015 2:53 am

Re: Disabling spawn(), io

Post by Nyyrazzilyss »

Buck wrote:I would personally really like io and spawn disabled, and have file reading done via an API to prevent reading files that shouldn't be read.
In my script, I include a #backup command for the end user. It reads the script datafiles written in the profile, and makes a backup/copy of them into an arbitrary user selected folder.

Blocking io.* access altogether from functioning outside the profile folder would also prevent something like that from working for me. I would however consider my ability to do that a much higher risk then attempting to manipulate the mapfile format to have specific binary content.

User avatar
SlySven
Posts: 935
Joined: Mon Mar 04, 2013 3:40 pm
Location: Deepest Wiltshire, UK
Discord: SlySven#2703

Re: Disabling spawn(), io

Post by SlySven »

I think there can not be much done on this, because anything done like as listed in this item on Lua sandboxing, has the capability of breaking existing, (possibly insecure) scripts and Vadim will say strong things about anything that causes breaking of backwards compatibility...! :?

Buck
Posts: 19
Joined: Tue Aug 30, 2016 8:11 pm

Re: Disabling spawn(), io

Post by Buck »

Breaking backwards compatibility is usually a bad idea and always a hassle, but you have to consider whether security is more important.

An alternative solution is to add sandboxing, enable it by default, but allow users to disable it to keep existing insecure scripts running.

User avatar
SlySven
Posts: 935
Joined: Mon Mar 04, 2013 3:40 pm
Location: Deepest Wiltshire, UK
Discord: SlySven#2703

Re: Disabling spawn(), io

Post by SlySven »

I do not know enough about Lua to implement any form of sand-boxing.

On trying to read up on this, I have seen that some recommend running any untrusted script in a separate process and allowing the OS to apply the required restrictions and limitations as required rather than trying to do so within the lua interpreter.

User avatar
Vadi
Posts: 4760
Joined: Sat Mar 14, 2009 3:13 pm

Re: Disabling spawn(), io

Post by Vadi »

I don't think spawn has ever worked, which is unfortunate - so we can get rid of it. Sandboxing io could be something to look at.

I understand this is a potential problem, but it's also a problem that I've never seen manifest in practice in the years of mudding. So take that as you will.

Post Reply