Malicous Metamethod hooks #125
TheDarkThief
started this conversation in
New Level Proposals
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Language
Lua 🌔
Vulnerability
When accessing a table the _index method is called, this can be set to a malicious function allowing for remote code execution
Scenario
Your company sells low powered E-ink displays powered by a small embedded system. They are called E-Boards, because they are so weak they send a request to the server with the RSS feeds the user has configured; the server proceeds to generate a bitmap image and returns the request to the board which will eventually display the images to the user.
The API request looks like this:
{{source:"<link to RSS feed>", image: nil},{source:"<link to RSS feed>", image: nil}}and it excepts the following return
{{source:"<link to RSS feed>", image: "<bitmap image>"},{source:"<link to RSS feed>", image: "<bitmap image>"}}Unfortunately, whoever created this function forgot that metatables exist in Lua and it allows a malicious hacker to have remote code execution if one does not handle tables correctly.
Beta Was this translation helpful? Give feedback.
All reactions