Redis is a database, but it's not a vulnerability that is triggered by just flying a query or storing a payload in the database, so it's similar to the Adobe vulnerability I covered before. Anyway, this time it's CVE-2022-24834 analysis and exploit as written in the title, and I packed it full like last time!
CVE-2022-24834 is a vulnerability in Redis, an in-memory database. The vulnerability is common in Redis, which supports vulnerable versions of Lua scripting, and is caused by an Integer Overflow in cjson, a module used by Lua to encode and parse JSON. The bug can be triggered by connecting to the Redis Server and running Lua Script.
Remote Code Execution is then possible due to a Heap Overflow caused by an Integer Overflow.
The vulnerability occurs in the json_append_string
function of cjson, a module used by Lua in Redis, and has the same root cause in all vulnerable versions.
json_append_string
The source code for this function is shown below.
/* json_append_string args:
* - lua_State
* - JSON strbuf
* - String (Lua stack index)
*
* Returns nothing. Doesn't remove string from Lua stack */
static void json_append_string(lua_State *l, strbuf_t *json, int lindex){
const char *escstr;
int i;
const char *str;
size_t len;
str = lua_tolstring(l, lindex, &len);// [1]
/* Worst case is len * 6 (all unicode escapes).
* This buffer is reused constantly for small strings
* If there are any excess pages, they won't be hit anyway.
* This gains ~5% speedup. */
strbuf_ensure_empty_length(json, len * 6 + 2); // [2]
strbuf_append_char_unsafe(json, '\\\\"'); // [3]
for (i = 0; i < len; i++) {
escstr = char2escape[(unsigned char)str[i]];
if (escstr)
strbuf_append_string(json, escstr);
else
strbuf_append_char_unsafe(json, str[i]);
}
strbuf_append_char_unsafe(json, '\\\\"');
}
Copy
The main function of this function is to convert string objects in Lua to JSON strings. The source code can be broken down into three main steps [1]
, [2]
, and [3]
str = lua_tolstring(l, lindex, &len);// [1]Copy
The first argument lua_State *l
and the second argument int lindex
as an argument to lua_tolstring
function, which calls the Lua Converts a string to a C string and returns it. The length of the C string is the length of the size_t len
in the file.