Last updated at Fri, 29 Apr 2022 20:09:07 GMT
Redis Sandbox Escape
Our very own Jake Baines wrote a module that performs a sandbox escape on Redis versions between
6.1.0 and achieves remote code execution as the
redis user. Redis installations can be password protected, so this module supports exploiting the vulnerability with and without authentication.
While this module targets Redis software, the vulnerability (CVE-2022-0543) only presents itself on Debian-based Linux distributions due to the Lua package interface remaining enabled. The existence of the Lua package interface means that arbitrary libraries can be loaded and used to evade the protections of the sandbox. This vulnerability has been reported as being exploited in the wild.
Thanks to sempervictus we now have a post module for enumerating installed antivirus products on Windows systems. Using either a Meterpreter or shell session, the module detects these installations through WMI queries and saves the information to the database. Some of the data returned includes versioning information, possibly clueing a user in on a potential next target for privilege escalation.
New module content (2)
- Redis Lua Sandbox Escape by Reginaldo Silva and jbaines-r7, which exploits CVE-2022-0543 - This exploit achieves remote code execution as the
redisuser via a sandbox escape in several Redis versions distributed through Debian-based Linux distributions.
- Windows Installed AntiVirus Enumeration by rageltman - This adds a module that enumerates all installed AV products on Windows.
Enhancements and features (1)
- #16486 from adfoster-r7 - This adds an initial set of pen testing docs to https://docs.metasploit.com/docs/pentesting/
Bugs fixed (2)
- #16450 from ORelio - This updates
exploit/multi/vnc/vnc_keyboard_execto include a delay that increases reliability when getting a shell and typing out long commands.
- #16509 from adfoster-r7 - This ensures proper escaping of HTML in code blocks that are produced by the
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).