[1] What is it? Scanning tool to test for SaltStack vulnerabilities CVE-2020-11651 & CVE-2020-11652. The vulnerabilities allow an attacker who can connect to the "request server" port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the "master" server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it. [2] How to install it. The tool requires Python 2.7 or Python 3. External requirements can be installed with pip or easy_install. For example: sudo pip install -r requirements.txt [3] How to use it? There are 2 detection methods included: * Token disclosure (-t) This method is invoked with the -t option and attempts to read the Salt root token by exploiting the flaw. Whilst this method is self contained, it only works on newer versions, some older versions are not supported. * Remote Code Execution to Out-of-Band (DNS) (-c) This method exploits the flaw by executing the nslookup command to trigger a DNS lookup to the Appcheck Sentinel server. The scanner then consults the AppCheck DNS server to determine if it executed. To achieve this the tool needs to connect out to https://ptst.io/ Note: For further information on sentinel see section [4] below Recommended command line: salt_rce_scanner.py -r cidr_ip_range -t -c [Command Line Options] ___ _____ _ _ / _ \ / __ \ | | | / /_\ \_ __ _ __ | / \/ |__ ___ ___| | __ | _ | '_ \| '_ \| | | '_ \ / _ \/ __| |/ / | | | | |_) | |_) | \__/\ | | | __/ (__| < \_| |_/ .__/| .__/ \____/_| |_|\___|\___|_|\_\ | | | | |_| |_| SaltStack Scanner (CVE-2020-11651 & CVE-2020-11652) Author: Gary O'Leary-Steele Version: 0.1 Alpha Use -h to see usage options optional arguments: -h, --help show this help message and exit -r CIDR_RANGE Target Host or CIDR Range to scan -p PORT Target Port (4506 by default) -c Enable remote command injection test (out-of-band DNS to AppCheck Sentinel) -t Enable root token disclosure check -T THREADS Maximum Threads (default is 50) -o OUTPUT_FILE Output file [4] AppCheck Sentinel = Background = Traditionally, web application security flaws are detected by modifying client supplied input in an attempt to trigger a specific response from the server. For example, SQL Injection flaws are often detected by submitting payloads that cause a signature to be returned by the database server, in other cases, payloads are designed to trigger a specific time delay that can be measured to detect the flaw. In each case, these methods use in-band techniques where both the attack and response take the same path as regular website traffic and result in immediate confirmation of the vulnerability. = Out-of-Band Detection = There are cases however where in-band techniques are not effective. For example, consider an ecommerce site that collects orders which are then later reviewed via a back-end order processing system. Whilst AppCheck will detect vulnerabilities (in-band) within the eCommerce site during a routine scan, vulnerabilities within the back-end order processing system may not trigger until they are accessed (by another user or process) later down the line. Other common cases arise when triggering the vulnerability does not provide a reliable in-band mechanism to confirm the flaw. For example, measuring server response times could be unreliable if the normal server response times are erratic. In other cases the vulnerability may not impact the way the server responds regardless of whether it is successfully exploited or not. In order to overcome these restrictions, AppCheck implements an Out-of-Band detection system named Sentinel. Sentinel is a Cloud based monitoring system that hosts specially designed DNS, SMTP, HTTP(s) and SMB services that intercept Out-of-band connections triggered as a result of an AppCheck attack payload. During a scan, AppCheck submits specially crafted payloads designed to trigger Out-of-Band connections when they are successfully executed. Sentinel then detects this execution and updates scan results accordingly. One of the most common techniques is the use of DNS tokens embedded within the payload. By design, DNS queries are forwarded to the authoritative DNS server for a given domain in order to be resolved. Therefore, even if the vulnerable system is not permitted to access the internet, as long as it is able to resolve DNS names it can communicate with Sentinel.
appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652
Scanning tool to test for SaltStack vulnerabilities CVE-2020-11651 & CVE-2020-11652.
PythonMIT