OpenS100 Portrayal Engine Remote Code Execution Vulnerability via Unrestricted Lua Standard Library Access

A remote code execution vulnerability has been identified in OpenS100, the reference implementation of the S-100 viewer, prior to commit 753cf29. This vulnerability arises from an unrestricted Lua interpreter that allows access to standard libraries such as 'os' and 'io'. The issue occurs because the Portrayal Engine initializes Lua without sandboxing or capability restrictions, exposing these libraries to untrusted portrayal catalogues. An attacker can exploit this by crafting a malicious S-100 portrayal catalogue with Lua scripts that execute arbitrary commands. When the catalogue is imported and a chart is loaded, the scripts run with the same privileges as the OpenS100 process, potentially leading to unauthorized actions or access.

Impact

Exploitation of this vulnerability allows for remote code execution on the system running OpenS100, with the executed commands running under the privileges of the OpenS100 process.

Reproduction

To reproduce this vulnerability, import a malicious S-100 portrayal catalogue that contains Lua scripts designed to execute arbitrary commands. Once the catalogue is loaded, the scripts will run with the same privileges as the OpenS100 process, executing the commands specified in the injected Lua scripts.

Remediation

Users can update to the latest version of OpenS100, which includes a security patch that disables access to dangerous Lua libraries. The patched version is available on the OpenS100 GitHub repository.