The great cracking challenge

General discussion about LÖVE, Lua, game development, puns, and unicorns.
User avatar
Robin
The Omniscient
Posts: 6506
Joined: Fri Feb 20, 2009 4:29 pm
Location: The Netherlands
Contact:

The great cracking challenge

Post by Robin » Wed Feb 23, 2011 7:55 pm

We all know LÖVE has gaping security holes. Some people don't like that. I forked LÖVE to make a sandboxed version, mostly to inspire actual changes in the main LÖVE fork. That fork is SELÖVE.

I recently updated it to be compatible with LÖVE 0.7.1.

The thing is, I don't really know if I missed some ways of reaching outside the sandbox.

So I present to you a challenge: find a way to crack SELÖVE with a malicious .love file. If you succeed, you win one (1) free internets. Also, eternal glory.

The source, a 64-bit .deb and an slightly outdated* 32-bit Windows executable** are available on the Bitbucket downloads page, so you can test them.

* Equivalent to LÖVE 0.7.0, but sandboxing should be the same.
** Generously provided by TechnoCat.

So, who thinks they can beat this?

NOTE: This should be obvious, but any casual readers might want to note that this is not a topic where you'll want to download and run all .loves you can find. By design, they might be harmful to your computer, especially when run with vanilla LÖVE.
Help us help you: attach a .love.

User avatar
slime
Solid Snayke
Posts: 2852
Joined: Mon Aug 23, 2010 6:45 am
Location: Nova Scotia, Canada
Contact:

Re: The great cracking challenge

Post by slime » Wed Feb 23, 2011 8:08 pm

I compiled an Intel OSX LuaJIT build, for those interested: http://dl.dropbox.com/u/4214717/SELoveJIT.zip

User avatar
bartbes
Sex machine
Posts: 4946
Joined: Fri Aug 29, 2008 10:35 am
Location: The Netherlands
Contact:

Re: The great cracking challenge

Post by bartbes » Wed Feb 23, 2011 9:18 pm

My first entry is in, and it's a huge hole as well, basically, I get around your entire sandbox, no problem bro. :P

Btw, it just opens up a website, hopefully I coded the OS detection and url opening right, in any case it is a demonstration of what is possible.
Attachments
crack1.love
First attempt, hopefully more to follow.
(361 Bytes) Downloaded 110 times

User avatar
Robin
The Omniscient
Posts: 6506
Joined: Fri Feb 20, 2009 4:29 pm
Location: The Netherlands
Contact:

Re: The great cracking challenge

Post by Robin » Wed Feb 23, 2011 9:24 pm

Epicness, bartbes. And on your 2300th post, no less.

Explanation to casual readers: package.loaded is not properly cleaned of references to the Lua standard library, so that the sandbox is not properly closed. I thought I'd taken care of that, but it appears not.
Help us help you: attach a .love.

User avatar
bartbes
Sex machine
Posts: 4946
Joined: Fri Aug 29, 2008 10:35 am
Location: The Netherlands
Contact:

Re: The great cracking challenge

Post by bartbes » Wed Feb 23, 2011 9:36 pm

And the second one.
Again, completely bypasses the sandbox, anything can be done.
Attachments
crack2.love
(589 Bytes) Downloaded 96 times

User avatar
bartbes
Sex machine
Posts: 4946
Joined: Fri Aug 29, 2008 10:35 am
Location: The Netherlands
Contact:

Re: The great cracking challenge

Post by bartbes » Wed Feb 23, 2011 10:44 pm

Entry 3, full filesystem access (it dumps a list of your root on the console).
Attachments
crack3.love
(367 Bytes) Downloaded 101 times

User avatar
tentus
Inner party member
Posts: 1060
Joined: Sun Oct 31, 2010 7:56 pm
Location: Appalachia
Contact:

Re: The great cracking challenge

Post by tentus » Wed Feb 23, 2011 11:37 pm

Jesus, now we all know who not to anger. :huh:
Kurosuke needs beta testers

User avatar
BlackBulletIV
Inner party member
Posts: 1260
Joined: Wed Dec 29, 2010 8:19 pm
Location: Queensland, Australia
Contact:

Re: The great cracking challenge

Post by BlackBulletIV » Thu Feb 24, 2011 12:54 am

.... Woah. Nice.

EMB
Citizen
Posts: 70
Joined: Sat Jan 08, 2011 8:49 pm

Re: The great cracking challenge

Post by EMB » Thu Feb 24, 2011 3:21 pm

Both crack1 and crack2 failed.
crack3 however, that could be interesting...
Request Programs
If Linux were a beer, it would be shipped in open barrels so that anybody could piss in it before delivery

User avatar
bartbes
Sex machine
Posts: 4946
Joined: Fri Aug 29, 2008 10:35 am
Location: The Netherlands
Contact:

Re: The great cracking challenge

Post by bartbes » Thu Feb 24, 2011 3:35 pm

Oh I heard more people had the actual opening of the website fail, I can assure you, however, that they work.

Post Reply

Who is online

Users browsing this forum: No registered users and 9 guests