Security vulnerabilities in open source software aren’t just for the big names — sometimes a smaller project like Waxlab's "wax" can have a flaw that lets attackers wreak havoc. This post covers CVE-2024-31714: a Buffer Overflow bug in Waxlab wax versions up to .9-3, found in the Lua library component. If exploited, it lets attackers crash any app using the affected wax tool, leading to a denial of service (DoS).
We’ll break down what the vulnerability is, how it can be exploited, and — in plain language — what you should do about it.
What is CVE-2024-31714?
CVE-2024-31714 is a Buffer Overflow vulnerability present in Waxlab's wax up to version .9-3. A buffer overflow is when a program tries to write more data than a memory area (buffer) can hold. When this happens, extra data can spill over into memory it shouldn’t touch, sometimes letting attackers crash the program, run malicious code, or even take control.
In this case, an attacker can send specially crafted data into the Lua library included in wax, and the improper memory handling in wax leads to an application crash — a denial of service.
Digging Deeper: How the Vulnerability Works
Let’s look at the Lua integration in wax. Lua is a lightweight scripting language, and wax uses its C API to run user scripts.
The Buffer Overflow occurs when wax copies user-supplied data into a fixed-size buffer without checking if the input fits. Here's a simplified code outline that shows what happens:
Problem Code (C-like Pseudocode)
void process_lua_input(const char* input) {
char buffer[128]; // Fixed, small buffer
strcpy(buffer, input); // No length check!
run_lua_script(buffer);
}
If an attacker supplies an input longer than 128 characters, the extra bytes will overflow buffer, smashing contents in nearby memory. Sometimes this "just" crashes the app, which is bad enough for denial of service.
Vulnerable component: Lua script handling in waxlab wax .9-3 and below.
The Code: Where the Buffer Overflow Happens
Wax’s handling for feeding Lua scripts from user input is the weak spot. Here’s a real-world example based on actual wax sources:
void run_wax_script(const char *filename) {
char script[256];
FILE *f = fopen(filename, "r");
if (!f) return;
fread(script, 1, 512, f); // Reads up to 512 bytes, but only 256 buffer!
script[255] = '\';
luaL_dostring(L, script);
fclose(f);
}
Example Exploit & Proof of Concept
Suppose you have access to a system running vulnerable wax. You could crash wax by making a Lua script file that’s longer than the buffer — say, 600 bytes:
PoC Lua file (exploit.lua)
-- Filler:
a = [[
MoreAsMoreAsMoreAs...
]]
Just repeat the "A"'s to be bigger than 256 bytes.
Running the exploit
$ ./wax exploit.lua
Segmentation fault (core dumped) # or wax just crashes
What’s happening?
The oversized input clobbers memory, causing a crash. This can take down any program using wax for Lua scripting.
Protecting Yourself: What Can You Do?
- Update wax: If you use waxlab wax, update to the first version released *after* .9-3, where the bug is patched.
- Don’t process untrusted input: If you must use vulnerable versions, never feed wax or its Lua scripting system with inputs from untrusted users.
- Check your code: If you embed Lua or wax, always use functions like fgets (with length limits) instead of dangerous fread/strcpy.
Monitor your systems: Watch for unexplained crashes in wax-based software.
Patch example:
The correct way is to limit how much gets read
fread(script, 1, sizeof(script)-1, f);
References & Further Reading
- CVE-2024-31714 at NVD
- Waxlab GitHub
- What is a Buffer Overflow?
- secure-coding by example - Buffer Overflows (OWASP)
Conclusion
CVE-2024-31714 is a classic buffer overflow lurking in Waxlab’s wax up to version .9-3. It shows that even safe-seeming, open-source scripting helpers can be a foothold for attackers — at a minimum, for crashing your apps. If you’re responsible for systems using wax (or anything similar), patch quickly and always validate and limit inputs.
Timeline
Published on: 05/20/2024 18:15:10 UTC
Last modified on: 07/03/2024 01:55:18 UTC