Lupa Arbitrary Code Execution Vulnerability via Inconsistent Attribute Filter Enforcement
Vulnerability
A vulnerability in the Lupa library, which integrates Lua or LuaJIT2 runtimes into CPython, allows for arbitrary code execution due to inconsistent enforcement of the attribute filter in versions 2.6 and earlier. The attribute filter is designed to restrict access to sensitive Python attributes when objects are exposed to Lua. However, it fails to consistently apply when attributes are accessed through built-in functions like getattr and setattr. This inconsistency enables an attacker to bypass the intended restrictions, access internal Python properties, and execute arbitrary commands.
Impact
Exploitation of this vulnerability leads to full sandbox escape and arbitrary command execution in the host Python process.
Reproduction
To reproduce this vulnerability, create a LuaRuntime instance with a custom attribute filter that raises an AttributeError for forbidden attributes. Then, access sensitive attributes such as '__class__' or '__mro__' using getattr. Once these attributes are accessed, traverse the object graph to find execution primitives, such as functions in the 'os' module, and use them to execute arbitrary commands.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.