Upgrade to Pro — share decks privately, control downloads, hide ads and more …

LuaRocks vulnerabilities

LuaRocks vulnerabilities

Package management systems have become an integral part of development. But their security does not get enough attention. Speakers will talk about the LuaRocks package repository popular with those developing in Lua. It was never mentioned in security newsletters before. They will explain a major vulnerability which could allow to seize any account on luarocks.org and compromise all packages. They will also demonstrate exploitation of the vulnerability.

Canis Majoris

May 21, 2019
Tweet

Other Decks in Research

Transcript

  1. phdays.com #PHDays About us Maxim Duyunov Igor Kanygin @majorisc Positive

    Technologies R&D PT Application Firewall (PTAF) - https://af.ptsecurity.ru/
  2. phdays.com #PHDays Lua Used by: • Apache HTTP Server •

    Cisco Systems • ModSecurity • Nginx • nmap • Snort • Vim • Wireshark ... • Adobe Photoshop Lightroom • HAProxy • NetBSD • NodeMCU • Redis • Tarantool
  3. phdays.com #PHDays What is LuaRocks? LuaRocks is the package manager

    for Lua modules Luarocks PM https://github.com/luarocks/luarocks written on Lua Luarocks Site https://github.com/luarocks/luarocks-site written on moonscript language syntax sugar, compiled to Lua Audit 
  4. phdays.com #PHDays LuaRocks web-site • Registration • Auth • API-keys

    CLI & REST API ➡ CLI & • Rockspec file upload Official web-site: https://luarocks.org/
  5. phdays.com #PHDays PRNG Attack • Reset our password • Reset

    target password • Get the reset token from email • Find the seed and generate a new seq • Change victim’s password
  6. phdays.com #PHDays REST API $ curl -XPOST -F '[email protected]' \

    http://localhost:8080/api/1/6047ednkVV148iR70wwv8pwNwlJP9LMuI8gd06NO/upload | jq
  7. phdays.com #PHDays Email link poisoning • The attacker sends a

    reset password request for another user (and changes the Host header with a domain controlled by the attacker) • The user clicks on the link • The attacker receives the reset password token • The attacker hijacks the user account Attack scenario
  8. phdays.com #PHDays Security Advisory & Author steps https://luarocks.org/security-incident-march-2019 - Patched

    - Cleared reset password tokens - Revoked all API keys - Added Security Audit page - View/download all server logs of the account - Review diffs for all rockspecs of the account - Added account active sessions - All sessions was logged-out TODO: Package signing and integrity verification Account 2FA Security Audit invite
  9. phdays.com #PHDays Mitigation - own Luarocks server LuaRocks server tutorial:

    https://github.com/luarocks/luarocks/wiki/Hosting-binary-rocks LuaRocks-Artifactory: https://gitlab.com/devopshq/luarocks-artifactory Usage: $ luarocks \ --server=https://example.com/luarocks.snapshot make $ luarocks \ --server-only=https://example.com/luarocks.snapshot \ make