Skip to content

CVE-2020-28243 Local Privledge Escalation Exploit in SaltStack Minion

Notifications You must be signed in to change notification settings

stealthcopter/CVE-2020-28243

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2020-28243

A command injection vulnerability in SaltStack's Salt allows for privilege escalation via specially crafted process names on a minion when the master calls restartcheck. For a full writeup please see this blog post

Affected Versions: All versions between 2016.3.0rc2 and 3002.2

Links: Mitre, NVD

Requirements

For this exploit to work the following are needed:

  • SaltStack Minion between 2016.3.0rc2 and 3002.5
  • Write/Exec access to a directory that isn't explicitly ignored by SaltStack
  • Master needs to call restartcheck.restartcheck on this minion to trigger the exploit

Usage

./exploit.sh -w PATH -c 'COMMAND'

  -w PATH       writable path (and not blocked by SaltStack)
  -c COMMAND    command to execute

Screenshot

screenshot

Files

  • exploit.sh - The exploit script to perform the privilege escalation.
  • helper.c - Helper C program that will create the file handler for us, this could probably be replaced with a python or bash script. This file will be automatically generated by the exploit script.

Static Binaries

When gcc is not available to compile the helper binary on the target machine, you can compile it on your machine and copy the binary over.

gcc helper.c -o ./helper -static
# Or for 32 bit: 
gcc helper.c -o ./helper -m32 -static  

Alternatively static binaries have been provided in this repo that you can use in the static folder.

About

CVE-2020-28243 Local Privledge Escalation Exploit in SaltStack Minion

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published