SaltStack Salt API Unauthenticated RCE through wheel_async client

Description

This module leverages an authentication bypass and directory traversal vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the `master` as the root user. Every 60 seconds, `salt-master` service performs a maintenance process check that reloads and executes all the `grains` on the `master`, including custom grain modules in the Extension Module directory. So, this module simply creates a Python script at this location and waits for it to be executed. The time interval is set to 60 seconds by default but can be changed in the `master` configuration file with the `loop_interval` option. Note that, if an administrator executes commands locally on the `master`, the maintenance process check will also be performed. It has been fixed in the following installation packages: 3002.5, 3001.6 and 3000.8. Also, a patch is available for the following versions: 3002.2, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and 2015.8.10. This module has been tested successfully against versions 3001.4, 3002 and 3002.2 on Ubuntu 18.04.

Author(s)

• Alex Seymour
• Christophe De La Fuente

Platform

Linux,Unix

Architectures

cmd, x86, x64