Closed Crispy-fried-chicken closed 5 months ago
You are welcome to add an entry to the CHANGELOG.md as well
Interesting,
can you provide a reproducible function call to trigger this overflow?
I tried this but I can't get the overflow to trigger.
static int lua_stacktrace(lua_State* L) {
lua_Debug ar;
lua_getstack(L, 1, &ar);
lua_getlocal(L, &ar, (2^31) - 1 );
printf("good\n");
lua_getlocal(L, &ar, 2^31);
printf("bad\n");
return 0; // all done!
}
@iceman1001 Maybe you need to change the incoming parameter to the minimum value represented by int, 0x80000000, instead of 2^31. The number 2^31 represents a positive number, not INT_MIN. Maybe you can also change it to -2 ^31, and the function changes as follows:
static int lua_stacktrace(lua_State* L) {
lua_Debug ar;
lua_getstack(L, 1, &ar);
lua_getlocal(L, &ar, (2^31) - 1 );
printf("good\n");
lua_getlocal(L, &ar, -2^31);
printf("bad\n");
return 0; // all done!
}
cause the integer Underflow not integer overflow will happen.
I tried according to the CVE you linked as seen in the image.
I also tried
lua_Debug ar;
lua_getstack(L, 1, &ar);
lua_getlocal(L, &ar, (2^31) - 1 );
printf("good\n");
lua_getlocal(L, &ar, (2^31));
printf("bad\n");
lua_getlocal(L, &ar, -(2^31));
printf("bad\n");
Which doesn't trigger negative overflow..
[usb] pm3 --> script run hf_ulc_brute
[+] executing lua /home/iceman/pm3/prox3/client/luascripts/overflow.lua
[+] args ''
good
bad
bad
I can't replicate the crash.
I tried accessing some fields... nada. nothing triggered.
lua_Debug ar;
lua_getstack(L, 1, &ar);
lua_getlocal(L, &ar, (2^31) - 1 );
printf("good | %u \n", ar.currentline);
printf("good | %u \n", ar.event);
// printf("good | %s \n", (ar.name) ? ar.name : "nil");
printf("good | %s \n", ar.source);
printf("good | %s \n", ar.short_src);
printf("good | %c \n", ar.isvararg);
printf("good | %s \n", ar.what);
printf("good | %c \n", ar.nparams);
lua_getlocal(L, &ar, (2^31));
printf("bad | %u \n", ar.currentline);
printf("bad | %u \n", ar.event);
// printf("bad | %s \n", (ar.name) ? ar.name : "nil");
printf("bad | %s \n", ar.source);
printf("bad | %s \n", ar.short_src);
printf("bad | %c \n", ar.isvararg);
printf("bad | %s \n", ar.what);
printf("bad | %c \n", ar.nparams);
lua_getlocal(L, &ar, -(2^31));
printf("bad | %u \n", ar.currentline);
printf("bad | %u \n", ar.event);
// printf("bad | %s \n", (ar.name) ? ar.name : "nil");
printf("bad | %s \n", ar.source);
printf("bad | %s \n", ar.short_src);
printf("bad | %c \n", ar.isvararg);
printf("bad | %s \n", ar.what);
printf("bad | %c \n", ar.nparams);
return 0; // all done!
[+] executing lua /home/iceman/pm3/prox3/client/luascripts/overflow.lua
[+] args ''
good | 4294967096
good | 0
good | �/]�U
good | 0
good |
good | ��]�U
good |
bad | 4294967096
bad | 0
bad | �/]�U
bad | 0
bad |
bad | ��]�U
bad |
bad | 4294967096
bad | 0
bad | �/]�U
bad | 0
bad |
bad | ��]�U
bad |
Lets see, you would need to add custom c source code to call the offending code inside the lua debug api. Which we don't have.
I merge this patch,
CVE-2020-24370 is a security vulnerability in lua. Although the CVE decription in CVE-2020-24370 said that this CVE only affected lua 5.4.0, according to lua this CVE actually existed since lua 5.2. The root cause of this CVE is the negation overflow that occurs when you try to take the negative of 0x80000000. Thus, this CVE also exists in proxmark3. Try to backport the fix to the lua in proxmark3 since the original fix is for 5.4 and several functions have been changed.