Malicous Metamethod hooks

[TheDarkThief]

Language

Lua 🌔

Vulnerability

When accessing a table the _index method is called, this can be set to a malicious function allowing for remote code execution

Scenario

Your company sells low powered E-ink displays powered by a small embedded system. They are called E-Boards, because they are so weak they send a request to the server with the RSS feeds the user has configured; the server proceeds to generate a bitmap image and returns the request to the board which will eventually display the images to the user.

The API request looks like this:

{{source:"<link to RSS feed>", image: nil},{source:"<link to RSS feed>", image: nil}}

and it excepts the following return

{{source:"<link to RSS feed>", image: "<bitmap image>"},{source:"<link to RSS feed>", image: "<bitmap image>"}}

Unfortunately, whoever created this function forgot that metatables exist in Lua and it allows a malicious hacker to have remote code execution if one does not handle tables correctly.

[illjashmykhajlo-bit]

Language

Lua 🌔

Vulnerability

When accessing a table the _index method is called, this can be set to a malicious function allowing for remote code execution

Scenario

Your company sells low powered E-ink displays powered by a small embedded system. They are called E-Boards, because they are so weak they send a request to the server with the RSS feeds the user has configured; the server proceeds to generate a bitmap image and returns the request to the board which will eventually display the images to the user.

The API request looks like this:

{{source:"<link to RSS feed>", image: nil},{source:"<link to RSS feed>", image: nil}}

and it excepts the following return

{{source:"<link to RSS feed>", image: "<bitmap image>"},{source:"<link to RSS feed>", image: "<bitmap image>"}}

Unfortunately, whoever created this function forgot that metatables exist in Lua and it allows a malicious hacker to have remote code execution if one does not handle tables correctly.