Hacking Salt Stack
Our exploit of today is one affecting two CVE’s for the popular devops tool salt.
Salt is a tool for system administrators to manage and carry out tasks on various computers.
Such as upgrading a large set of computers. Due to easy of use and a wide
variety of supported platforms the tool has grown a bigger and bigger user based and even has a
yearly conference called salt con(https://saltconf.com/).
Two new vulnerabilities was found that where so serious even salt is having
a text on their main page advising people to patch
their salt instance.
ClearFuncs, the part that is responsible for handling the
authentication and key exchange between a salt server
and client does not validate authentication when calling methods and functions.
This allows a malicious third party to use functions without any authentication.
This could be used to run and execute malicious commands on clients.
Check out ClearFuncs on github:
ClearFuncs is allowing arbitrary access to methods that can give
an unauthenticated user access to access system directories.
Metasploit(“metasploit-framework/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb”) was fast to write
a module that exploits these vulnerabilities
root@kalimah:~/salt# python3 exploit.py --master 192.168.115.130 [!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort. [+] Salt version: 3000.1 [ ] This version of salt is vulnerable! Check results below [+] Checking salt-master (ip:4506) status... ONLINE [+] Checking if vulnerable to CVE-2020-11651... [*] root key obtained: b5pKEa3Mbp/TD7TjdtUTLxnk0LIANRZXC+9XFNIChUr6ZwIrBZJtoZZ8plfiVx2ztcVxjK2E1OA= root@kalimah:~/salt#
Find salt hosts: