Lupa Sandbox Escape via Incomplete attribute_filter Enforcement
The lupa library's attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr, leading to a sandbox escape and arbitrary code execution.
The lupa library, version 2.6 and earlier, contains a vulnerability in its attribute_filter implementation. This filter aims to restrict access to sensitive Python attributes when exposing objects to Lua code. However, the filter is inconsistently applied, specifically when attributes are accessed through built-in functions like getattr and setattr. This inconsistency allows an attacker with the ability to execute Lua code to bypass the intended restrictions, ultimately leading to arbitrary code execution on the host system. This vulnerability impacts applications that rely on attribute_filter as a security control for untrusted Lua code execution, particularly if they allow access to Python builtins.
Attack Chain
- The attacker gains the ability to execute arbitrary Lua code within an application that uses the lupa library.
- The Lua code gains access to a Python object exposed through lupa.
- The Lua code utilizes the
python.builtins.getattrfunction to access the__class__attribute of the exposed Python object, bypassing theattribute_filter. - The Lua code uses
getattragain to access the__mro__attribute of the class, walking up the inheritance chain. - The Lua code calls the
__subclasses__()method (accessed viagetattr) to enumerate all subclasses of the base object class. - The Lua code iterates through the subclasses, searching for a class containing
os._wrap_close. - The Lua code uses
getattrto access the__init__attribute of the identified subclass, and then accesses its__globals__attribute to retrieve theos.systemfunction. - Finally, the Lua code uses
setattrto assign theos.systemfunction to an attribute of the original Python object and executes arbitrary commands on the host system, achieving sandbox escape.
Impact
Successful exploitation of this vulnerability allows an attacker to bypass the attribute_filter in the lupa library. This leads to arbitrary code execution within the host Python process. The impact is a full sandbox escape, potentially allowing the attacker to compromise the entire system. Any application using lupa to execute untrusted Lua code is vulnerable if it relies solely on attribute_filter and doesn't disable access to Python builtins. This affects applications using lupa version 2.6 or earlier.
Recommendation
- Upgrade to a patched version of the
lupalibrary that addresses this vulnerability. - If upgrading is not immediately feasible, disable access to Python builtins via the
register_builtins=Falseoption when creating aLuaRuntimeinstance. - Monitor process creation events for suspicious processes spawned by the Python interpreter, as a sign of successful exploitation (see Sigma rule
Detect Suspicious Process Creation from Python). - Implement additional security controls, such as seccomp profiles, to limit the capabilities of the Python process.
Detection coverage 2
Detect Suspicious Process Creation from Python
highDetects suspicious process creation events originating from the Python interpreter, which could indicate a sandbox escape.
Detect getattr Usage in Lua Code
mediumDetects the usage of getattr in Lua code, which could be a sign of vulnerability exploitation. This rule looks for Lua code that calls python.builtins.getattr in process creation events.
Detection queries are available on the platform. Get full rules →