Description
This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries.
On a typical `redis` deployment (not docker), this module achieves execution as the `redis` user. Debian/Ubuntu packages run Redis using systemd with the "MemoryDenyWriteExecute" permission, which limits some of what an attacker can do. For example, staged meterpreter will fail when attempting to use mprotect. As such, stageless meterpreter is the preferred payload.
Redis can be configured with authentication or not. This module will work with either configuration (provided you provide the correct authentication details). This vulnerability could theoretically be exploited across a few architectures: i386, arm, ppc, etc. However, the module only supports x86_64, which is likely to be the most popular version.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/redis/redis_debian_sandbox_escapemsf undefined(redis_debian_sandbox_escape) > show actions ...actions...msf undefined(redis_debian_sandbox_escape) > set ACTION < action-name >msf undefined(redis_debian_sandbox_escape) > show options ...show and set options...msf undefined(redis_debian_sandbox_escape) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub