module
Redis Lua Sandbox Escape
| Disclosed | Created |
|---|---|
| 02/18/2022 | 04/28/2022 |
Disclosed
02/18/2022
Created
04/28/2022
Description
This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries.
On a typical `redis` deployment (not docker), this module achieves execution
as the `redis` user. Debian/Ubuntu packages run Redis using systemd with the
"MemoryDenyWriteExecute" permission, which limits some of what an attacker can
do. For example, staged meterpreter will fail when attempting to use mprotect.
As such, stageless meterpreter is the preferred payload.
Redis can be configured with authentication or not. This module will work with
either configuration (provided you provide the correct authentication details).
This vulnerability could theoretically be exploited across a few architectures:
i386, arm, ppc, etc. However, the module only supports x86_64, which is likely
to be the most popular version.
vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries.
On a typical `redis` deployment (not docker), this module achieves execution
as the `redis` user. Debian/Ubuntu packages run Redis using systemd with the
"MemoryDenyWriteExecute" permission, which limits some of what an attacker can
do. For example, staged meterpreter will fail when attempting to use mprotect.
As such, stageless meterpreter is the preferred payload.
Redis can be configured with authentication or not. This module will work with
either configuration (provided you provide the correct authentication details).
This vulnerability could theoretically be exploited across a few architectures:
i386, arm, ppc, etc. However, the module only supports x86_64, which is likely
to be the most popular version.
Authors
Reginaldo Silvajbaines-r7
Platform
Linux,Unix
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/redis/redis_debian_sandbox_escape
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.