Luaskin has unrestricted access to io and os libraries, posing a security risk

[marysiamzawka]

(Tested on beatoraja 0.8.8 + JDK21)

Recently I found out that Luaskin has probably unrestricted access to os and io libraries, While this can be considered good in some use cases (skins can use this to have local storage), it can be also abused by bad actors.

While there is many ways you could run malicious code, by far the easiest one is just putting a malicious .luaskin file anywhere inside beatoraja's skin folder.

Proof of concept

-- for windows
os.execute("calc.exe")

Save this as a .luaskin file with any name anywhere in the skin directory and launch the game.

If you don't start beatoraja with -s (which skips config), Calculator should pop up just before the Config window appears. There is no feedback in the standard output, and the malicious file is not listed within the skin list, as it doesn't return a valid header.

A bad actor could for example share a Lua skin that at a glance doesn't look suspicious, but in some deep directory it would have a luaskin file that on load could do any of the following:

• wipe your local profile
• wipe your BMS library
• modify your other, valid skin files to contain malicious code
• instantly close the game

and also

• execute remote code
• download malicious files to your computer and run them
• delete other local files

Keep in mind that this is not limited to a specific platform - this could be done on Linux and MacOS too

In practice, barely any skins uses any functions provided by os and io libraries and it would be safe to cut access to them in Luaskin. Some skins would break a bit, but for a greater good.

[marysiamzawka]

explorer_NVRGFpyswb.mp4

Proof of concept in action

[phu54321]

This is weird... It should definitely be fixed.

https://github.com/gelldur/luaj/blob/master/examples/jse/SampleSandboxed.java