OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.
OpenS100, a maritime chart viewer, suffers from a critical remote code execution (RCE) vulnerability. By crafting a malicious S-100 portrayal catalogue containing embedded Lua scripts, an attacker can execute arbitrary commands on the victim's system with the privileges of the OpenS100 process, potentially leading to complete system compromise. This vulnerability stems from the insecure initialization of the Lua interpreter, allowing unrestricted access to system-level functions.
Step 1: Payload Creation: The attacker crafts a malicious S-100 portrayal catalogue. This catalogue contains a legitimate chart portrayal definition, but also includes a Lua script embedded within it.
Step 2: Lua Script Injection: The malicious Lua script is designed to execute arbitrary commands on the target system. This could involve downloading and executing malware, creating user accounts, or exfiltrating sensitive data.
Step 3: Catalogue Delivery: The attacker delivers the malicious S-100 portrayal catalogue to the target user. This could be achieved through various means, such as email, social engineering, or exploiting a web application that allows users to upload and share chart data.
Step 4: Catalogue Import: The victim user imports the malicious catalogue into OpenS100.
Step 5: Chart Loading & Script Execution: When the user loads a chart associated with the imported catalogue, OpenS100 executes the embedded Lua script. The script, due to the lack of sandboxing, can then execute arbitrary commands with the privileges of the OpenS100 process.
Step 6: Command Execution & System Compromise: The attacker's commands are executed, potentially leading to complete system compromise, data theft, or denial of service.
The root cause lies in the improper sandboxing of the Lua interpreter within OpenS100. The luaL_openlibs() function is used to initialize Lua, loading standard libraries like 'os' and 'io' without any restrictions or capability limitations. This allows untrusted portrayal catalogues, which are designed to contain chart display instructions, to include malicious Lua scripts. When a user imports and loads a crafted catalogue, the Lua scripts are executed, enabling the attacker to execute arbitrary commands. The lack of input validation on the catalogue contents and the unrestricted access to system functions create a direct path for RCE. The vulnerability is further exacerbated by the fact that the OpenS100 process likely runs with elevated privileges, amplifying the impact of a successful exploit.