Factorio Lua Vulnerability: Insights and Exploits Explained

BYMark Howell 1 years ago4 MINS READ
Factorio Lua Vulnerability: Insights and Exploits Explained

On 29/06/2024, we delve into an in-depth examination of a critical vulnerability in Factorio’s Lua implementation, which exposed clients to arbitrary code execution by malicious servers. Factorio had over 3.5 million copies sold, highlighting the potential vast impact on its user base. This article aims to educate on dynamic language vulnerabilities using Lua as a model and offers an interactive challenge to practice these concepts.

Copy link Factorio and Lua Integration

Factorio Game Interface

What is Factorio?

Factorio is a popular game focused on automating a factory to produce a rocket and leave a planet. With millions of copies sold and an active modding community, the game became a prime target for security research.

How is Lua Used?

Lua scripts in Factorio handle game logic, mod creation, and custom maps, facilitating extensive community engagement. While initially seeming limited to local exploits through mods, deeper inspection reveals a broader attack surface via the game’s multiplayer mode. Using deterministic lockstep synchronization, Lua code execution on one client propagates to others, escalating the impact of potential exploits.

Copy link General Exploitation Path

The general exploitation path to attack the Lua interpreter from the network involves:

  2. Identifying a Point of Entry for Lua code execution.
  4. Exploring Lua Modules: Often, these include modules for interactions with the host, deemed dangerous.
  6. Utilizing Bytecode: Lua compiles scripts into bytecode, executed directly by the interpreter—a powerful capability if leveraged correctly.

Copy link Bytecode Verifier and Exploitation

Edworking
All your work in one place
All-in-one platform for your team and your work. Register now for Free.
Get Started Now

Bytecode Verifier

Originally, Lua developers implemented a bytecode verifier to prevent malicious bytecode execution. However, it was discontinued due to its bypassability. Factorio implemented its verifier, primarily preventing out-of-bounds operations, but it had off-by-one issues.

Exploitation Path

By exploiting type confusion and leveraging bytecode’s raw power, we can:

  • Leak Memory: Using type confusion in loops.
  • Create Fake Objects: Modifying upvalue pointers to access arbitrary data.
  • Write Arbitrary Memory: Creating fake upvalues and controlling the Lua execution flow.

Copy link Practical Exploitation in Factorio

Leaking Addresses

Leaking addresses in Lua can be done via type confusion:

  • Utilizing the TValue structure internally, which dynamically transforms data types during runtime.
  • Confusion in Loops: Especially in numeric loops where type checks are bypassed in compiled bytecode.

Fetching Fake Objects

Control over upvalues in closures enables the creation of fake Lua objects:

  • Modifying Prototype Pointers: Gaining access to and modifying upvalues in memory to craft specific objects.

Achieving Remote Code Execution (RCE) on Linux

By leveraging Lua’s weaknesses in Factorio:

  • Manipulating GOT Table: Overwriting entries to execute system commands, bypassing ASLR by leaking function pointers.

Copy link Key Exploitation Steps

  • Patch Bytecode: Modify FORPREP and similar opcodes to bypass type checks.
  • Create Arbitrary String Headers: Extend strings to encapsulate exploitable data.
  • Manipulate UpValue Indexes: Redirect arbitrary data access and modification.

Copy link Conclusion

Understanding the intricacies of Lua’s bytecode and security flaws enlightens broader vulnerability awareness in dynamic scripting languages. For practical experience, you can participate in the Escape from Alcawasm challenge and test your skills.

Edworking
All your work in one place
All-in-one platform for your team and your work. Register now for Free.
Get Started Now

Copy link Remember these 3 key ideas for your startup:

  2. Security First: Always prioritize the security of your applications. Understanding potential vulnerabilities, like those exposed in Factorio, helps ensure a robust defense against attacks. Read our in-depth guide on why time tracking is important in project management.
  4. Community Engagement: Leverage active user communities for critical insights and feedback. The modding community in Factorio served as both a strength and a vulnerability, teaching a balanced approach to user-generated content. Implement effective community strategies with our article on the ultimate guide to choosing the right remote working platform.
  6. Innovative Practice: Use interactive challenges and educational exercises to keep your team sharp. Participating in practices like the provided coding challenge enhances learning and preparedness. Discover innovative ways to keep your team engaged in our article on how to tell if a remote worker is engaged at work.
    Edworking is the best and smartest decision for SMEs and startups to be more productive. Edworking is a FREE superapp of productivity that includes all you need for work powered by AI in the same superapp, connecting Task Management, Docs, Chat, Videocall, and File Management. Save money today by not paying for Slack, Trello, Dropbox, Zoom, and Notion.
    For more details, see the original source.
Mark Howell

About the Author: Mark Howell

LinkedIn

Mark Howell is a talented content writer for Edworking's blog, consistently producing high-quality articles on a daily basis. As a Sales Representative, he brings a unique perspective to his writing, providing valuable insights and actionable advice for readers in the education industry. With a keen eye for detail and a passion for sharing knowledge, Mark is an indispensable member of the Edworking team. His expertise in task management ensures that he is always on top of his assignments and meets strict deadlines. Furthermore, Mark's skills in project management enable him to collaborate effectively with colleagues, contributing to the team's overall success and growth. As a reliable and diligent professional, Mark Howell continues to elevate Edworking's blog and brand with his well-researched and engaging content.

Startups

Edit PDFs Securely & Freely: Breeze PDF In-Browser Solution

Edit PDFs Securely & Freely: Breeze PDF In-Browser Solution

Breeze PDF is a free, offline browser-based PDF editor ensuring privacy. It offers text, image, and signature additions, form fields, merging, page deletion, and password protection without uploads.

BYMark Howell
Decoding R1: The Future of AI Reasoning Models

Decoding R1: The Future of AI Reasoning Models

R1 is an affordable, open-source AI model emphasizing reasoning, enabling innovation and efficiency, while influencing AI advancements and geopolitical dynamics.

BYMark Howell
Visual Prompt Injections: Essential Guide for Startups

Visual Prompt Injections: Essential Guide for Startups

The Beginner's Guide to Visual Prompt Injections explores vulnerabilities in AI models like GPT-4V, highlighting security risks for startups and offering strategies to mitigate potential data compromises.

BYMark Howell
Graph-Based AI: Pioneering Future Innovation Pathways

Graph-Based AI: Pioneering Future Innovation Pathways

Graph-based AI, developed by MIT's Markus J. Buehler, bridges unrelated fields, revealing shared complexity patterns, accelerating innovation by uncovering novel ideas and designs, fostering unprecedented growth opportunities.

BYMark Howell
Try Edworking Background

A new way to work from anywhere, for everyone for Free!

Get Started Now