Subscribe to download
Security Exploit 2

Status: FIXED
Reported 2014-09-20, fixed 2014-09-24

Hack 'n' Slash creates a special environment for mods by exposing only a subset of the Lua standard libraries and a few special functions designed for creating mods. This mod demonstrates an exploit that was possible on a previous version of the game which bypassed this protection and allowed arbitrary code execution, regardless of the player's operating system. It does not contain viruses, trojan horses, worms, or any other similar software or programs, but could have theorically been used to bootstrap one by a malicious modder.

When enabled, this mod was designed toiprompt for a command to be sent to the operating system, which would then be executed. By default, it would launch Windows Calculator in a separate process. For convenience, the mod automatically terminates the game once the command returns.

The vulnerability used in this particular exploit is the scripts.load() function. This function internally called Lua's loadfile() function, and code loaded through this function is applied on the global environment and has access to all Lua stardard libraries. Arbitrary code could then be executed through the os library. This particular exploit was patched by preventing access to Lua's os and io libraries.

Because of potential vulnerabilities such as this one, I recommend players to inspect the source code of the mods they download through Steam Workshop before enabling them and report those that violate the Steam Online Conduct Rules as soon as possible.

I hope that this mod will serve as an educational piece for all types of programmers about the importance of writing secure code.

If you find any security issues in the game, please contact support@doublefine.com

To see more Hack 'n' Slash vulnerabilities, please check my Security Exploits collection.