Skip to content

stealthcopter/CVE-2020-28243

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

CVE-2020-28243

A command injection vulnerability in SaltStack's Salt allows for privilege escalation via specially crafted process names on a minion when the master calls restartcheck. For a full writeup please see this blog post

Affected Versions: All versions between 2016.3.0rc2 and 3002.2

Links: Mitre, NVD

Requirements

For this exploit to work the following are needed:

  • SaltStack Minion between 2016.3.0rc2 and 3002.5
  • Write/Exec access to a directory that isn't explicitly ignored by SaltStack
  • Master needs to call restartcheck.restartcheck on this minion to trigger the exploit

Usage

./exploit.sh -w PATH -c 'COMMAND'

  -w PATH       writable path (and not blocked by SaltStack)
  -c COMMAND    command to execute

Screenshot

screenshot

Files

  • exploit.sh - The exploit script to perform the privilege escalation.
  • helper.c - Helper C program that will create the file handler for us, this could probably be replaced with a python or bash script. This file will be automatically generated by the exploit script.

Static Binaries

When gcc is not available to compile the helper binary on the target machine, you can compile it on your machine and copy the binary over.

gcc helper.c -o ./helper -static
# Or for 32 bit: 
gcc helper.c -o ./helper -m32 -static  

Alternatively static binaries have been provided in this repo that you can use in the static folder.

About

CVE-2020-28243 Local Privledge Escalation Exploit in SaltStack Minion

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published