Improvement of CVE-2022-24834 public exploit

Author

Conviso Research Team

Description

The team at Ricerca Security (@RicercaSec) discovered and successfully exploited a interesting vulnerability (CVE-2022-24834) in the Lua interpreter included with Redis. This vulnerability is a heap overflow in the cjson library, and a detailed writeup can be found here.

We noticed some hard coded offsets [2] [3], which might pose a inconvenience for those who wish to test it, so we decided to remove them. The main goal was to make it more generic and learn a bit about Lua internals.

Modifications we made

We used a huge string to be able to read arbitrary memory addresses more easily;
We used Lua coroutine to leak stack and libc addresses, this technique is documented by Saelo (@5aelo);
We included a symbol resolution function (local system_addr = resolve_symbol_gnu(libc_leak, "system"))
We included an auto gadget finder;
We modified the original exploit.py to use pwntools
We added a reverse shell handler to exploit.py

Tests

Redis 7.0.11 on Ubuntu 20.04 (via own compilation) - SUCCESS
Redis 7.0.11 on Ubuntu 20.04 (via apt using Redis official repository) - SUCCESS
Redis 7.0.11 on Ubuntu 20.04 (via docker image redis:7.0.11) - SUCCESS
Redis 6.2.12 on Ubuntu 20.04 (via docker image redis:6.2.12) - SUCCESS
Redis 7.0.11 on Debian 11 (via apt using Redis official repository) - SUCCESS
Redis 5.0.7 on Ubuntu 20.04 (via apt) - CRASH