CVE-2020-11652
/Practice/Twiggy/3-Exploitation/attachments/{76BAC748-3CC9-4409-98F3-42B656CDF060}.png)
A vulnerability was found in SaltStack Salt. It has been declared as critical. Affected by this vulnerability is the function ClearFuncs. The manipulation with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality, integrity, and availability.
Exploit
/Practice/Twiggy/3-Exploitation/attachments/{1ECF4F8C-9505-4B72-B710-B663DE42B235}.png)
Exploit located online
/Practice/Twiggy/3-Exploitation/attachments/Pasted-image-20250311001742.png)
SaltStack has a very interesting architecture, and its message bus in done over ZeroMQ.
This explains the presence of ZMTP servers on the target ports 4505 and 4506
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ git clone https://github.com/jasperla/CVE-2020-11651-poc ; python3 -m venv CVE-2020-11651-poc/.venv ; source CVE-2020-11651-poc/.venv/bin/activate
Cloning into 'CVE-2020-11651-poc'...
remote: Enumerating objects: 30, done.
remote: Counting objects: 100% (30/30), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 30 (delta 12), reused 26 (delta 10), pack-reused 0 (from 0)
Receiving objects: 100% (30/30), 8.61 KiB | 8.61 MiB/s, done.
Resolving deltas: 100% (12/12), done.
┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ pip3 install salt Setting up a virtual environment for the exploit script