can you give some usage example?

Sure, you can take the firmware luci folder path after unpacking as the LuaTaint's input. For example, the test command is as follows: python LuaTaint xxx/__openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci

The results are as follows:

4 vulnerabilities found (plus 7 sanitised):
Vulnerability 1:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
 > User input at line 41, source "Framework function URL parameter":
     table
Reassigned in:
    File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
     > Line 49: ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
 > reaches line 49, sink "process.exec(":
    ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
This vulnerability is unknown due to:  Label: ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)

Vulnerability 2:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
 > User input at line 41, source "Framework function URL parameter":
     family
Reassigned in:
    File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
     > Line 42: prefix = family == '6' and 'ip6' or 'ip'
    File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
     > Line 49: ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/admin/status.lua
 > reaches line 49, sink "process.exec(":
    ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)
This vulnerability is unknown due to:  Label: ~call_4 = ret_luci.sys.process.exec({'/usr/sbin/%stables' % prefix, '-w', '-t', table, '--line-numbers', '-nxvL'}, luci.http.write)

Vulnerability 3:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
 > User input at line 43, source "luci.http.formvalue":
     ~call_2 = ret_luci.http.formvalue('package')
Reassigned in:
    File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
     > Line 43: pkg = ~call_2
    File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
     > Line 56: cmd.#cmd + 1 = pkg
    File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
     > Line 60: ~call_5 = ret_sys.process.exec(cmd, true, true)
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
 > reaches line 60, sink "process.exec(":
    ~call_5 = ret_sys.process.exec(cmd, true, true)
This vulnerability is unknown due to:  Label: ~call_5 = ret_sys.process.exec(cmd, true, true)

Vulnerability 4:
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
 > User input at line 40, source "Framework function URL parameter":
     command
Reassigned in:
    File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
     > Line 53: cmd.#cmd + 1 = command
    File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
     > Line 60: ~call_5 = ret_sys.process.exec(cmd, true, true)
File: /home/xxx/LuaTaint-data/dataset/8devices/_openwrt-8devices-v2.11-ar71xx-generic-carambola2-squashfs-sysupgrade.bin.extracted/squashfs-root/usr/lib/lua/luci/controller/opkg.lua
 > reaches line 60, sink "process.exec(":
    ~call_5 = ret_sys.process.exec(cmd, true, true)
This vulnerability is unknown due to:  Label: ~call_5 = ret_sys.process.exec(cmd, true, true)

I have updated a simple firmware for testing. Thanks.

Thanks a lot for your help. And I have another question for your help. I find a lot of vulnerability examples in the manufactured-vulnerability directory. I use LuaTaint test the manufactured-vulnerability/CI/CI_1.lua, but has no finding. So i add some code as below:

--Example 1: Direct Parameter Injection into os.execute
function vulnerableRoute1(queryParams)
    local user_input = queryParams.cmd
    os.execute("ls -l " .. user_input)
    local input2 = luci.http.formvalue("test")
    os.execute("ls -l " .. input2)
end

I get the following outputs.

ubuntu2204:~$ python LuaTaint ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
1 vulnerability found:
Vulnerability 1:
File: ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
 > User input at line 5, source "luci.http.formvalue":
         ~call_2 = ret_luci.http.formvalue('test')
Reassigned in:
        File: ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
         > Line 5: input2 = ~call_2
        File: ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
         > Line 6: ~call_3 = ret_os.execute('ls -l '..input2)
File: ~/LuaTaint/manufactured-vulnerability/CI/CI_1.lua
 > reaches line 6, sink "os.execute(":
        ~call_3 = ret_os.execute('ls -l '..input2)
This vulnerability is unknown due to:  Label: ~call_3 = ret_os.execute('ls -l '..input2)

As the output shows, LuaTaint find the vulnerability from luci.http.formvalue to os.execute, but do not find the vulnerability from function para to os.execute.

I read the code and find that, the LuaTaint taint all the function para node and taint the cfg node according to the all_trigger_words.pyt as follow. So LuaTaint should have recognized the vulnerability from function para to os.execute, but it did not.

    assignment_nodes = filter_cfg_nodes(cfg, AssignmentNode)
    tainted_nodes = filter_cfg_nodes(cfg, TaintedNode) # tainted in function get_func_cfg_with_tainted_args
    tainted_trigger_nodes = [
        TriggerNode(
            Source('Framework function URL parameter'),
            cfg_node=node
        ) for node in tainted_nodes
    ]

    sources_in_file = find_triggers(assignment_nodes, sources, nosec_lines) # tainted the node according to all_trigger_words.pyt
    sources_in_file.extend(tainted_trigger_nodes)

can you explain it to me? Thanks a lot.

miko99jh / LuaTaint

can you give some usage example? #1