The great cracking challenge

Robin · Post by **Robin** » Wed Feb 23, 2011 7:55 pm

We all know LÖVE has gaping security holes. Some people don't like that. I forked LÖVE to make a sandboxed version, mostly to inspire actual changes in the main LÖVE fork. That fork is SELÖVE.

I recently updated it to be compatible with LÖVE 0.7.1.

The thing is, I don't really know if I missed some ways of reaching outside the sandbox.

So I present to you a challenge: find a way to crack SELÖVE with a malicious .love file. If you succeed, you win one (1) free internets. Also, eternal glory.

The source, a 64-bit .deb and an slightly outdated* 32-bit Windows executable** are available on the Bitbucket downloads page, so you can test them.

* Equivalent to LÖVE 0.7.0, but sandboxing should be the same.
** Generously provided by TechnoCat.

So, who thinks they can beat this?

NOTE: This should be obvious, but any casual readers might want to note that this is not a topic where you'll want to download and run all .loves you can find. By design, they might be harmful to your computer, especially when run with vanilla LÖVE.

Post by **slime** » Wed Feb 23, 2011 8:08 pm

I compiled an Intel OSX LuaJIT build, for those interested: http://dl.dropbox.com/u/4214717/SELoveJIT.zip

Youtube · Post by **bartbes** » Wed Feb 23, 2011 9:18 pm

My first entry is in, and it's a huge hole as well, basically, I get around your entire sandbox, no problem bro.

Btw, it just opens up a website, hopefully I coded the OS detection and url opening right, in any case it is a demonstration of what is possible.

Robin · Post by **Robin** » Wed Feb 23, 2011 9:24 pm

Epicness, bartbes. And on your 2300th post, no less.

Explanation to casual readers: package.loaded is not properly cleaned of references to the Lua standard library, so that the sandbox is not properly closed. I thought I'd taken care of that, but it appears not.

Youtube · Post by **bartbes** » Wed Feb 23, 2011 9:36 pm

And the second one.
Again, completely bypasses the sandbox, anything can be done.

Youtube · Post by **bartbes** » Wed Feb 23, 2011 10:44 pm

Entry 3, full filesystem access (it dumps a list of your root on the console).

tentus · Post by **tentus** » Wed Feb 23, 2011 11:37 pm

Jesus, now we all know who not to anger.

BlackBulletIV · Post by **BlackBulletIV** » Thu Feb 24, 2011 12:54 am

.... Woah. Nice.

EMB · Post by **EMB** » Thu Feb 24, 2011 3:21 pm

Both crack1 and crack2 failed.
crack3 however, that could be interesting...

Youtube · Post by **bartbes** » Thu Feb 24, 2011 3:35 pm

Oh I heard more people had the actual opening of the website fail, I can assure you, however, that they work.

The great cracking challenge

The great cracking challenge

Re: The great cracking challenge

Re: The great cracking challenge

Re: The great cracking challenge

Re: The great cracking challenge

Re: The great cracking challenge

Re: The great cracking challenge

Re: The great cracking challenge

Re: The great cracking challenge

Re: The great cracking challenge

Who is online