module
SaltStack Salt API Unauthenticated RCE through wheel_async client
| Disclosed | Created |
|---|---|
| 2021-02-25 | 2021-04-01 |
Disclosed
2021-02-25
Created
2021-04-01
Description
This module leverages an authentication bypass and directory
traversal vulnerabilities in Saltstack Salt's REST API to execute
commands remotely on the `master` as the root user.
Every 60 seconds, `salt-master` service performs a maintenance
process check that reloads and executes all the `grains` on the
`master`, including custom grain modules in the Extension Module
directory. So, this module simply creates a Python script at this
location and waits for it to be executed. The time interval is set to
60 seconds by default but can be changed in the `master`
configuration file with the `loop_interval` option. Note that, if an
administrator executes commands locally on the `master`, the
maintenance process check will also be performed.
It has been fixed in the following installation packages: 3002.5,
3001.6 and 3000.8.
Also, a patch is available for the following versions: 3002.2,
3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10,
2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4,
2015.8.13 and 2015.8.10.
This module has been tested successfully against versions 3001.4,
3002 and 3002.2 on Ubuntu 18.04.
traversal vulnerabilities in Saltstack Salt's REST API to execute
commands remotely on the `master` as the root user.
Every 60 seconds, `salt-master` service performs a maintenance
process check that reloads and executes all the `grains` on the
`master`, including custom grain modules in the Extension Module
directory. So, this module simply creates a Python script at this
location and waits for it to be executed. The time interval is set to
60 seconds by default but can be changed in the `master`
configuration file with the `loop_interval` option. Note that, if an
administrator executes commands locally on the `master`, the
maintenance process check will also be performed.
It has been fixed in the following installation packages: 3002.5,
3001.6 and 3000.8.
Also, a patch is available for the following versions: 3002.2,
3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10,
2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4,
2015.8.13 and 2015.8.10.
This module has been tested successfully against versions 3001.4,
3002 and 3002.2 on Ubuntu 18.04.
Authors
Alex Seymour
Christophe De La Fuente
Christophe De La Fuente
Platform
Linux,Unix
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.