来源

关联漏洞

描述

CVE-2020-28243 Local Privledge Escalation Exploit in SaltStack Minion

介绍

# CVE-2020-28243

A command injection vulnerability in SaltStack's Salt allows for privilege escalation via specially crafted process names on a minion when the master calls restartcheck. For a full writeup please see [this blog post](https://sec.stealthcopter.com/cve-2020-28243/)

**Affected Versions:** All versions between 2016.3.0rc2 and 3002.2

**Links:** [Mitre](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28243), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-28243)

## Requirements

For this exploit to work the following are needed:

- SaltStack Minion between 2016.3.0rc2 and 3002.5
- Write/Exec access to a directory that isn't explicitly ignored by SaltStack
- Master needs to call `restartcheck.restartcheck` on this minion to trigger the exploit

## Usage

```
./exploit.sh -w PATH -c 'COMMAND'

  -w PATH       writable path (and not blocked by SaltStack)
  -c COMMAND    command to execute
```

### Screenshot

![screenshot](media/screenshot1.png)

### Files

- exploit.sh - The exploit script to perform the privilege escalation.
- helper.c - Helper C program that will create the file handler for us, this could probably be replaced with a python or bash script. This file will be automatically generated by the exploit script. 

### Static Binaries
When gcc is not available to compile the helper binary on the target machine, you can compile it on your machine and copy the binary over. 

```
gcc helper.c -o ./helper -static
# Or for 32 bit: 
gcc helper.c -o ./helper -m32 -static  
```

Alternatively static binaries have been provided in this repo that you can use in the `static` folder.

文件快照

 [4.0K]  /data/pocs/a3cbaabd874ab43cce1b974b68234361fde9ab2c
├── [4.5K]  exploit.sh
├── [ 181]  helper.c
├── [4.0K]  media
│   └── [ 44K]  screenshot1.png
├── [1.6K]  README.md
└── [4.0K]  static
    ├── [4.0K]  x86
    │   └── [703K]  helper
    └── [4.0K]  x86_64
        └── [823K]  helper

4 directories, 6 files

备注