Pricing

Factorio Lua Vulnerability: Insights and Exploits Explained

BY Mark Howell 29 June 20244 MINS READ
article cover

On 29/06/2024, we delve into an in-depth examination of a critical vulnerability in Factorio’s Lua implementation, which exposed clients to arbitrary code execution by malicious servers. Factorio had over 3.5 million copies sold, highlighting the potential vast impact on its user base. This article aims to educate on dynamic language vulnerabilities using Lua as a model and offers an interactive challenge to practice these concepts.

Factorio and Lua Integration

Factorio Game Interface

What is Factorio?

Factorio is a popular game focused on automating a factory to produce a rocket and leave a planet. With millions of copies sold and an active modding community, the game became a prime target for security research.

How is Lua Used?

Lua scripts in Factorio handle game logic, mod creation, and custom maps, facilitating extensive community engagement. While initially seeming limited to local exploits through mods, deeper inspection reveals a broader attack surface via the game’s multiplayer mode. Using deterministic lockstep synchronization, Lua code execution on one client propagates to others, escalating the impact of potential exploits.

General Exploitation Path

The general exploitation path to attack the Lua interpreter from the network involves:

  1. Identifying a Point of Entry for Lua code execution.

  2. Exploring Lua Modules: Often, these include modules for interactions with the host, deemed dangerous.

  3. Utilizing Bytecode: Lua compiles scripts into bytecode, executed directly by the interpreter—a powerful capability if leveraged correctly.

Bytecode Verifier and Exploitation

Bytecode Verifier

Originally, Lua developers implemented a bytecode verifier to prevent malicious bytecode execution. However, it was discontinued due to its bypassability. Factorio implemented its verifier, primarily preventing out-of-bounds operations, but it had off-by-one issues.

Exploitation Path

By exploiting type confusion and leveraging bytecode’s raw power, we can:

  • Leak Memory: Using type confusion in loops.

  • Create Fake Objects: Modifying upvalue pointers to access arbitrary data.

  • Write Arbitrary Memory: Creating fake upvalues and controlling the Lua execution flow.

Practical Exploitation in Factorio

Leaking Addresses

Leaking addresses in Lua can be done via type confusion:

  • Utilizing the TValue structure internally, which dynamically transforms data types during runtime.

  • Confusion in Loops: Especially in numeric loops where type checks are bypassed in compiled bytecode.

Fetching Fake Objects

Control over upvalues in closures enables the creation of fake Lua objects:

  • Modifying Prototype Pointers: Gaining access to and modifying upvalues in memory to craft specific objects.

Achieving Remote Code Execution (RCE) on Linux

By leveraging Lua’s weaknesses in Factorio:

  • Manipulating GOT Table: Overwriting entries to execute system commands, bypassing ASLR by leaking function pointers.

Key Exploitation Steps

  • Patch Bytecode: Modify FORPREP and similar opcodes to bypass type checks.

  • Create Arbitrary String Headers: Extend strings to encapsulate exploitable data.

  • Manipulate UpValue Indexes: Redirect arbitrary data access and modification.

Conclusion

Understanding the intricacies of Lua’s bytecode and security flaws enlightens broader vulnerability awareness in dynamic scripting languages. For practical experience, you can participate in the Escape from Alcawasm challenge and test your skills.

Remember these 3 key ideas for your startup:

  1. Security First: Always prioritize the security of your applications. Understanding potential vulnerabilities, like those exposed in Factorio, helps ensure a robust defense against attacks. Read our in-depth guide on why time tracking is important in project management.

  2. Community Engagement: Leverage active user communities for critical insights and feedback. The modding community in Factorio served as both a strength and a vulnerability, teaching a balanced approach to user-generated content. Implement effective community strategies with our article on the ultimate guide to choosing the right remote working platform.

  3. Innovative Practice: Use interactive challenges and educational exercises to keep your team sharp. Participating in practices like the provided coding challenge enhances learning and preparedness. Discover innovative ways to keep your team engaged in our article on how to tell if a remote worker is engaged at work.
    Edworking is the best and smartest decision for SMEs and startups to be more productive. Edworking is a FREE superapp of productivity that includes all you need for work powered by AI in the same superapp, connecting Task Management, Docs, Chat, Videocall, and File Management. Save money today by not paying for Slack, Trello, Dropbox, Zoom, and Notion.
    For more details, see the original source.

article cover
About the Author: Mark Howell Linkedin

Mark Howell is a talented content writer for Edworking's blog, consistently producing high-quality articles on a daily basis. As a Sales Representative, he brings a unique perspective to his writing, providing valuable insights and actionable advice for readers in the education industry. With a keen eye for detail and a passion for sharing knowledge, Mark is an indispensable member of the Edworking team. His expertise in task management ensures that he is always on top of his assignments and meets strict deadlines. Furthermore, Mark's skills in project management enable him to collaborate effectively with colleagues, contributing to the team's overall success and growth. As a reliable and diligent professional, Mark Howell continues to elevate Edworking's blog and brand with his well-researched and engaging content.

Trendy NewsSee All Articles
Try EdworkingA new way to work from  anywhere, for everyone for Free!
Sign up Now