Windows Privilege Escalation

[iquaba]

When using the cmd.script to upload and execute a script hosted on the salt-master, an attacker is able to overwrite the minion's copy of the script before execution. This leads to a race condition where the attacker may be able to run malicious code as system.

Sample script:

[thatch45]

Yes, this is serious, we protect against this on unix like systems by making sure that the files are always owned by root and not otherwise writable and with umask considerations.

I will get @UtahDave on this ASAP and get this taken care of!

[mike-ainsworth]

In my experience, this issue is common for config management software running on Windows platforms. I have seen this situation with numerous other platforms, but I definitely agree that this is a security problem.

The challenge is that setting the permissions on a file in windows is usually a seperate action from copying a file and using subinacl or power-shell's set-acl to properly set the acl after the file is copied doesn't eliminate the race-condition vulnerability. Perhaps configuring the minion installation to set the destination directory that Salt is copying the script file to with admin and service account privileges and allowing inheritence do the rest would be the simplest solution.

[UtahDave]

Mike, thanks for the great suggestion. That does sound like the best way
to go about this.

On Sat, Jul 27, 2013 at 3:54 PM, Mike Ainsworth notifications@github.comwrote:

In my experience, this issue is common for config management software
running on Windows platforms. I have seen this situation with numerous
other platforms, but I definitely agree that this is a security problem.

The challenge is that setting the permissions on a file in windows is
usually a seperate action from copying a file and using subinacl or
power-shell's set-acl to properly set the acl after the file is copied
doesn't eliminate the race-condition vulnerability. Perhaps configuring the
minion installation to set the destination directory that Salt is copying
the script file to with admin and service account privileges and allowing
inheritence do the rest would be the simplest solution.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/6361#issuecomment-21673207
.

Dave Boucha | Sr. Engineer

5272 South College Drive, Suite 301 | Murray, UT 84123
office 801-305-3563
dave@saltstack.com | www.saltstack.com http://saltstack.com/

[UtahDave]

@mike-ainsworth and @iquaba, what are your thoughts on this fix? In the installer I set c:\salt to only be accessible by Administrator's Group and the System user.

[mike-ainsworth]

That should do it!

-Mike

Sent from my iPhone. Please pardon any typographical errors.

On Jul 29, 2013, at 8:11 PM, David Boucha notifications@github.com wrote:

@mike-ainsworth https://github.com/mike-ainsworth and
@iquabahttps://github.com/iquaba,
what are your thoughts on this fix? In the installer I set c:\salt to only
be accessible by Administrator's Group and the System user.

—
Reply to this email directly or view it on
GitHubhttps://github.com//issues/6361#issuecomment-21763524
.

[iquaba]

Sounds good to me. I'll take another whack at breaking it and make sure it holds up when I get a chance.

[UtahDave]

Here's a link to an installer with this fix. http://saltstack.com/downloads/dev/Salt-Minion-0.16.2-rc1-AMD64-Setup.exe