CVE-2020-11651:An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
在2019.2.4之前和3000.2之前版本中存在的漏洞。salt 主进程 ClearFuncs 类无法正确验证方法调用。使得远程用户可以绕过身份认证直接调用方法。这些方法可用于salt主机检索用户口令和执行任意命令。
CVE-2020-11652:An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
在2019.2.4之前和3000.2之前的版本中存在的漏洞。salt 主进程 ClearFuncs 类允许访问某些不正确清理路径的方法。这些方法允许对经过身份验证的用户进行目录遍历。
声明:此篇文章仅用于安全加固测试安全建议,禁止用于违法操作。就不公开漏洞利用工具及其代码。请大家自行去找。
环境准备
- 使用yum安装SaltStack版本指定2019.2.3(不要是最新版本,最新版本修复了这个漏洞,生产环境禁止使用此版本)。
[root@VM_1_4_centos /]# cat /etc/yum.repos.d/sal.repo
[ltstack-repo]
name=SaltStack repo for RHEL/CentOS $releasever PY3
baseurl=https://repo.saltstack.com/py3/redhat/$releasever/$basearch/archive/2019.2.3
enabled=1
gpgcheck=1
gpgkey=https://repo.saltstack.com/py3/redhat/$releasever/$basearch/archive/2019.2.3/SALTSTACK-GPG-KEY.pub
[root@VM_1_4_centos /]# yum install salt-master salt-minion salt-ssh salt-syndic salt-cloud salt-api -y
- 安装-》修改配置文件-》启动服务-》配置秘钥过于简单不演示。
[root@VM_1_4_centos /]# salt '*' test.version
VM_1_5_centos:
2019.2.3
- 使用nmap半开对我的主机进行端口扫描。
sh-3.2# nmap -sS 139.155.91.123 -p1-65535
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 22:42 CST
Nmap scan report for 139.155.91.123
Host is up (0.043s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp filtered msrpc
137/tcp filtered netbios-ns
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
4444/tcp filtered krb524
4505/tcp open unknown
4506/tcp open unknown
5554/tcp filtered sgi-esphttp
Nmap done: 1 IP address (1 host up) scanned in 56.58 seconds
- 使用searchsploit 去检索关于saltstack 的漏洞利用代码.
➜ ~ searchsploit exploits saltstack
----------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------- ---------------------------------
Saltstack 3000.1 - Remote Code Execution | multiple/remote/48421.txt
----------------------------------------------------- ---------------------------------
Shellcodes: No Results
- 使用searchsploit 去下载漏洞利用代码。
➜ ~ searchsploit -m ID号(为了安全就不写完了,可以屏蔽部分小白。大佬也屏蔽不住。)
Exploit: Saltstack 3000.1 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/48421
Path: /opt/exploitdb/exploits/multiple/remote/48421.txt
File Type: Python script text executable, ASCII text, with CRLF line terminators
Copied to: /Users/lqh/48421.txt
- 阅读下代码需要哪些参数。(我不放全了)
........部分省略.........
def main():
parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')
parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')
parser.add_argument('--port', '-p', dest='master_port', default='4506')
parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')
parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')
parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')
parser.add_argument('--read', '-r', dest='read_file')
parser.add_argument('--upload-src', dest='upload_src')
parser.add_argument('--upload-dest', dest='upload_dest')
parser.add_argument('--exec', dest='exec', help='Run a command on the master')
parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')
args = parser.parse_args()
print("[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.")
time.sleep(1)
# Both src and destination are required for uploads
if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):
print('[-] Must provide both --upload-src and --upload-dest')
sys.exit(1)
channel = init_minion(args.master_ip, args.master_port)
if check_salt_version():
print("[ ] This version of salt is vulnerable! Check results below")
elif args.force:
print("[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.")
else:
sys.exit()
..........部分省略...........
- 阅读代码可以知道一下参数是必须的:
| 参数名 | 含义 | 默认值 | 是否必要 |
|---|---|---|---|
| --master, -m | 指定maser主机的IP | 127.0.0.1 | 是 |
| --port, -p | 指定master主机的端口 | 4506 | 是 |
| --force, -f | 强制模式 | False | 否 |
| --debug, -d | debug模式 | False | 否 |
| --run-checks, -c | 检查 | False | 否 |
| --read, -r | 读文件 | 无 | 否 |
| --upload-src | 上传文件路径 | 无 | 否 |
| --upload-dest | 上传目的地址 | 无 | 否 |
- 后面的我执行传参就不写了,这里测试了这个漏洞威力无穷。
- 有个坑需要导入salt的包,需要用pip装,国内巨慢。改了阿里的还是慢各种报错。还有要使用python3,把$PATH的python软连接改成python3的。最后声明一次!只可用来进行试验,禁止用于非法途径。
来不及修补怎么办?
- 根据网络通讯原则,需要满足五元组方可完成通讯。所以我们可以将4506,4505暂时不对外开放,非要用可以指定来源IP。
- 更新到最新的版本。文章开头那个baseurl地址改成最新版本的地址即可。然后安装,重启。
网友评论