module

SaltStack Salt Master/Minion Unauthenticated RCE

Disclosed
2020-04-30
Created
2020-05-13

Description

This module exploits unauthenticated access to the runner() and
_send_pub() methods in the SaltStack Salt master's ZeroMQ request
server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to
execute code as root on either the master or on select minions.

VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as
well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual
Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,
1.3, 1.5, and 1.6 in certain configurations, are known to be affected
by the Salt vulnerabilities.

Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as
well as Vulhub's Docker image.

Authors

F-Secure
wvu wvu@metasploit.com

Platform

Python,Unix

Architectures

python, cmd

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


msf > use exploit/linux/misc/saltstack_salt_unauth_rce
msf exploit(saltstack_salt_unauth_rce) > show targets
...targets...
msf exploit(saltstack_salt_unauth_rce) > set TARGET < target-id >
msf exploit(saltstack_salt_unauth_rce) > show options
...show and set options...
msf exploit(saltstack_salt_unauth_rce) > exploit

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.