Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

According to their site, SaltStack infrastructure automation software is used by IT, network, and security operations teams to drive security and reliability for digital business." So, finding a vulnerability in Saltstack could do real damage to a company.

The vulnerability is a simple command injection into an shell-spawning command. The interesting note was that the Saltstack APIs were verifying that data was sanitized. However, a few parameters were not being properly sanitized, which led to the vulnerability.

Additionally, this vulnerability was triggerable from an unauthenticated context. Another thing to note was that this vulnerability was not in a default configuration; an administrator had to turn this configuration on.

This was assigned TWO CVEs. One for the improper sanitization and the other for having the system spawn a shell when executing these commands. In languages like Java, the shell command is not usually injectable because the input is parameterized (like SQL queries). Apparently, this was running in a non-parametrized context; so, they made this fix for the CVE.