Shulou(Shulou.com)05/31 Report--

SaltStack remote execution code multiple high-risk vulnerability example analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

After the analysis of CVE-2020-17490 and CVE-2020-16846, it is found that the patch of CVE-2020-17490 is not completely patched, which leads to unauthorized access to wheel_async. We can call the methods in the wheel module. Based on this, we analyze the methods in the wheel module of SaltStack, and finally find that there is template injection in the loading configuration module, which can achieve unauthorized remote code execution.

Introduction

SaltStack is a subsidiary of VMware, its products are used for operation and maintenance management, can support tens of thousands of servers, the main functions are configuration file management and remote execution of commands, very easy to use and powerful, in github has 11.4k star.

SaltStack is developed only by python and adopts C Minion S architecture, in which Server is called Master,Client and Minion, that is, a Master can send configuration files to multiple Minion and execute commands remotely. SlatStack is the general name of the system, which is mainly composed of salt, salt-master, salt-minion, salt-api and other programs, in which the function of salt-master and salt-minion is to read the configuration file from the specified path and start. Salt-master listens on ports 4505 and 4506 for publishing messages and receiving monitoring data, respectively.

Salt programs can call a large number of functions and can specify minion or a set of minion as targets. Salt-api can use cherrypy or tornado to provide REST interfaces, and cherrypy is used by default.

This paper mainly discusses salt-master and salt-api.

The following conventions are used to specify the location of the code: FileLocation:Classname.method () or FileLocation:Method ()

CVE-2021-25281 unauthorized access

By analyzing the data of CVE-2020-25592

Https://gitlab.com/saltstack/open/salt-patches/-/blob/master/patches/2020/09/25/3002.patch

You can see that the patch authenticates the SSH method by calling the authentication module, while the salt/salt/netapi/init.py:NetapiClient.run () method dynamically calls the method in the NetapiClient class through getattr, passing in args and kwargs as parameters.

The callable methods in this class are

-local- local_async- local_batch- local_subset- runner- runner_async- ssh- wheel- wheel_async

After analysis, there is an unauthorized call to the wheel_async method, and the other methods (except SSH) generate a job to zeromq, followed by consumer authentication, while wheel_async asynchronously calls the method in the wheel package.

The call chain is as follows:

Salt/salt/netapi/init.py:NetapiClient.run () ⇒ salt/salt/netapi/init.py:NetapiClient.wheel_async () ⇒ salt/salt/wheel/init.py:WheelClient.cmd_async () ⇒ salt/salt/client/mixins.py:AsyncClientMixin.asynchronous ()

Salt/salt/client/mixins.py:AsyncClientMixin.asynchronous ()

The objective function here is that the self._proc_function,low parameter is a POST controllable parameter, and the value of the fun parameter is obtained through the funkey of the low parameter in the salt/salt/wheel/init.py:WheelClient.cmd_async () method.

Here, salt/salt/client/mixins.py:SyncClientMixin.low () is called through the salt/salt/client/mixins.py:AsyncClientMixin._proc_function () function, and the method in the wheel package is called dynamically using the args parameter and the kwargs parameter through this function.

Salt/salt/client/mixins.py:SyncClientMixin.low ()

The callable methods are as follows:

Config.applyconfig.update_configconfig.valueserror.errorfile_roots.findfile_roots.list_envfile_roots.list_rootsfile_roots.readfile_roots.writekey.acceptkey.accept_dictkey.deletekey.delete_dictkey.fingerkey.finger_masterkey.genkey.gen_acceptkey.gen_keyskey.gen_signaturekey.get_keykey.printkey.listkey.list_allkey.master_key_strkey.name_matchkey.rejectkey.reject_dictminions.connectedpillar_roots.findpillar_roots.list_envpillar_roots.list_rootspillar_roots.readpillar_roots. WriteCVE-2021-25282 has a vulnerability to restrict arbitrary file writing.

The salt/salt/wheel/pillar_roots.py:write () method has an arbitrary write to file vulnerability, but requires the path in _ _ opts__ ["pillar_roots"] to exist.

There is no way to use the read file here. Because it is called asynchronously, jid and tag are returned. It is authenticated to query the results of the task execution through jid and tag.

Salt/salt/wheel/pillar_roots.py:write ()

CVE-2021-25283 template injection vulnerability

The debug mode is turned on with the-log-level=debug parameter, which locates the logic of master automatic loading.

Salt/salt/master.py:Maintenance.run ()

As you can see from the code, each self.loop_interval will be looped once, and loop_interval can be configured in the configuration file, which defaults to 60s. Read the minion configuration file in salt.daemons.masterapi.clean_old_jobs through debug discovery.

The call stack is as follows:

Salt/salt/daemons/masterapi.py:clean_old_jobs () ⇒ salt/salt/minion.py:MasterMinion.init () ⇒ salt/salt/config/init.py:minion_config ()

In salt/salt/minion.py:MasterMinion.init (), it is found that the automatic load value loads the parameters related to grains, and grains is the function for saltstack to collect system information from each minion.

Salt/salt/minion.py:MasterMinion.init ()

Salt/salt/config/init.py:minion_config ()

You can see that when minio loads the configuration file, it calls a very attractive method apply_sdb (), which parses the string that starts with sdb:// in the configuration.

Salt/salt/config/init.py:apply_sdb ()

Salt/salt/utils/sdb.py:sdb_get ()

In this function, sdb://aaaa/bbbb string, saltstack will find the configuration item aaaa in the configuration file, and read the driver field, assign the value to the fun variable, and assign the value to the query parameter through bbbb. The final salt.loader.sdb (opts, fun, utils=utils) is a dynamic call that loads the method corresponding to the value of the fun variable through LazyLoader and invokes, where LazyLoader loads all the files under the salt.sdb package and calls the get method.

After searching, we finally locate the salt/salt/sdb/rest.py file.

Salt/salt/sdb/rest.py:query ()

Here, key is the value of bbbb in the above string. You can see that parameters in the form of bbbb?ccc=ddd are also received here and passed to the compile_template method through * * key_vars.

The render here uses jinja, as we all know, jinja can be injected into the template, that is, if there is no filtering, arbitrary code can be executed, and the parameter passed here is profile [key] ['url'], that is, the value of the bbbb dictionary url in the aaaa configuration item in the configuration file. Details of the compile_template function are as follows:

Salt/salt/template.py:compile_template ()

The render here calls the render method in salt/salt/renderers/jinja.py, and the call chain is as follows:

Salt/salt/template.py:compile_template () ⇒ salt/salt/utils/templates.py:JINJA () ⇒ salt/salt/utils/templates.py:wrap_tmpl_func () ⇒ salt/salt/utils/templates.py:render_jinja_tmpl ()

Finally, call the template.render () method in render_jinja_tmpl, where the template is rendered, where the incoming parameters are not filtered and can be injected into the template.

However, the configuration file of master is not loaded in the automatically loaded logic, but after searching, it is found that a method calls the master_config method, and master_config, like minion_config, calls the apply_sdb () method, so that unauthorized RCE can be implemented.

Repair suggestion

Update the official patch as soon as possible.

If the wheel_async module is not used, its entry can be deleted in salt/netapi/init.py.

This is the answer to the sample analysis of multiple high-risk vulnerabilities in the remote execution of SaltStack code. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.