OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.
OpenS100, a maritime chart viewer, suffers from a critical remote code execution (RCE) vulnerability. By crafting a malicious S-100 portrayal catalogue containing unrestricted Lua scripts, attackers can execute arbitrary commands on the victim's system with the privileges of the OpenS100 process, potentially leading to complete system compromise and data exfiltration.
Step 1: Payload Delivery: The attacker crafts a malicious S-100 portrayal catalogue. This catalogue contains a Lua script designed to execute arbitrary commands.
Step 2: Catalogue Import: A user, using OpenS100, imports the malicious portrayal catalogue. This action is often triggered by a social engineering campaign, such as a phishing email or a compromised website.
Step 3: Chart Loading: The user loads a chart that references the imported malicious portrayal catalogue. This triggers the Portrayal Engine to interpret the catalogue's data.
Step 4: Lua Script Execution: The Portrayal Engine, during chart rendering, executes the embedded Lua script. Because the Lua interpreter is initialized without sandboxing, the script can access the 'os' and 'io' libraries.
Step 5: Command Execution: The Lua script, using the 'os' library, executes attacker-specified commands on the victim's system with the privileges of the OpenS100 process.
Step 6: System Compromise: The executed commands can be used to download and execute malware, steal sensitive data, or establish persistent access to the compromised system.
The vulnerability stems from the insecure initialization of the Lua interpreter within the OpenS100 Portrayal Engine. The function luaL_openlibs() is used to initialize the Lua environment, which exposes standard libraries like 'os' and 'io' without any sandboxing or capability restrictions. This allows untrusted portrayal catalogues, which are designed to be loaded and interpreted by the application, to contain malicious Lua scripts. The lack of input validation and sanitization on the portrayal catalogue data, combined with the unrestricted Lua environment, allows an attacker to inject arbitrary code. The root cause is the failure to restrict the capabilities of the Lua interpreter, allowing malicious scripts to execute system commands. This is a classic example of a code injection vulnerability.
This vulnerability could be exploited by various threat actors, including those targeting maritime infrastructure. The ease of exploitation makes it attractive to both financially motivated and state-sponsored actors. The potential impact on critical infrastructure makes it a high-priority target. No specific APT groups are currently linked, but the nature of the target suggests potential interest from groups with maritime interests. CISA KEV status: Likely candidate for inclusion due to high severity and ease of exploitation.
Monitor file system activity for the creation of suspicious files or modifications to system files by the OpenS100 process.
Analyze network traffic for unusual outbound connections originating from the OpenS100 process, especially connections to command-and-control (C2) servers.
Examine OpenS100 process logs for evidence of Lua script execution, especially those involving the 'os' or 'io' libraries.
Implement file integrity monitoring to detect changes to critical system files.
Use endpoint detection and response (EDR) solutions to identify and block malicious activity.
Monitor for the import of untrusted S-100 portrayal catalogues.
Update OpenS100 to commit 753cf29 or later.
Implement input validation and sanitization for all data within S-100 portrayal catalogues.
Sandbox the Lua interpreter by restricting access to sensitive libraries and system functions. Consider using a Lua sandboxing library or implementing custom Lua functions with restricted capabilities.
Implement least privilege principles, ensuring the OpenS100 process runs with the minimum necessary privileges.
Regularly scan systems for vulnerable versions of OpenS100.
Educate users about the risks of importing untrusted files and clicking on suspicious links.