Winter Vacation

Dungeon Crawl Stone Soup , aka DCSS, aka “crawl”, is an open source Rogue-like game, available at https://github.com/crawl/crawl . Public DCSS servers ( crawl.kelbi.org , crawl.develz.org , crawl.akrasiac.org , underhound.eu , crawl.beRotato.org , lazy-life.ddo.jp , webzook.net , crawl.xtahua.com , crawl.project357.org ) allow users to play DCSS without compiling it or installing it on their own system. On these servers, before starting a game players can upload their own .crawlrc configuration file. These files can include Lua 5.1 scripts, and the global environment for these scripts includes the load and loadstring functions. load and loadstring can be used to load not just other Lua scripts, but also valid or invalid Lua bytecode. Although Lua 5.1 includes a perfunctory bytecode verifier, there are known weaknesses in that verifier which have been well documented in the security community.

The NetHack DevTeam released NetHack 3.6.6 on March 8, 2020, primarily to address CVE-2020-5254 , which  I reported to them on March 3. Although most of my report was focused on security--and indeed I was able to get full remote code execution (RCE) on pre-release NetHack 3.7 (but not 3.6.5)--I actually thought the more interesting finding was how to exploit the bug as a glitch.

The NetHack DevTeam released NetHack 3.6.5 on January 27, 2020, primarily to address six buffer overflows I reported to them on January 12 and January 15. All of these bugs were found with AFL as I described in Fuzzing NetHack .

After NetHack 3.6.4 , I looked at other games including Freeciv and Dungeon Crawl Stone Soup . Freeciv uses a client/server model, and I really wanted to find a vulnerability in the server protocol. I discovered AFL and setup the fuzzer to run against the Freeciv server. Days later, AFL had found nothing and I was bored, so I decided to run AFL against NetHack. That ended up being a very good idea.

The NetHack DevTeam released NetHack 3.6.4 on December 18, 2019, primarily to address CVE-2019-19905 which I reported to them on December 13. I was impressed with the five day turnaround.

There's a lot of software out there to explore, so a good first question is why would I pick NetHack as a place to focus my security research? A few reasons: