CVE-2020-11651
/Practice/Twiggy/3-Exploitation/attachments/{79E514BA-8327-4035-9471-D69821B9A9B9}.png)
A vulnerability was found in SaltStack Salt. It has been classified as critical. Affected is the function ClearFuncs. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability.
Exploit
/Practice/Twiggy/3-Exploitation/attachments/{1ECF4F8C-9505-4B72-B710-B663DE42B235}.png)
Exploit located online
/Practice/Twiggy/3-Exploitation/attachments/Pasted-image-20250311001742.png)
SaltStack has a very interesting architecture, and its message bus in done over ZeroMQ.
This explains the presence of ZMTP servers on the target ports 4505 and 4506
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ git clone https://github.com/jasperla/CVE-2020-11651-poc ; python3 -m venv CVE-2020-11651-poc/.venv ; source CVE-2020-11651-poc/.venv/bin/activate
Cloning into 'CVE-2020-11651-poc'...
remote: Enumerating objects: 30, done.
remote: Counting objects: 100% (30/30), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 30 (delta 12), reused 26 (delta 10), pack-reused 0 (from 0)
Receiving objects: 100% (30/30), 8.61 KiB | 8.61 MiB/s, done.
Resolving deltas: 100% (12/12), done.
┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ pip3 install salt Setting up a virtual environment for the exploit script