{"id":13296866,"url":"https://github.com/stealthcopter/CVE-2020-28243","last_synced_at":"2025-03-10T09:32:10.494Z","repository":{"id":109127523,"uuid":"323716576","full_name":"stealthcopter/CVE-2020-28243","owner":"stealthcopter","description":"CVE-2020-28243 Local Privledge Escalation Exploit in SaltStack Minion","archived":false,"fork":false,"pushed_at":"2021-03-03T08:01:22.000Z","size":700,"stargazers_count":17,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-04T15:52:12.460Z","etag":null,"topics":["cve","cve-2020-28243","privilege-escalation","saltstack","saltstack-minion"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stealthcopter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-22T19:35:15.000Z","updated_at":"2024-08-12T20:08:45.000Z","dependencies_parsed_at":"2023-03-16T14:00:58.061Z","dependency_job_id":null,"html_url":"https://github.com/stealthcopter/CVE-2020-28243","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealthcopter%2FCVE-2020-28243","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealthcopter%2FCVE-2020-28243/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealthcopter%2FCVE-2020-28243/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealthcopter%2FCVE-2020-28243/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stealthcopter","download_url":"https://codeload.github.com/stealthcopter/CVE-2020-28243/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242823718,"owners_count":20191048,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","cve-2020-28243","privilege-escalation","saltstack","saltstack-minion"],"created_at":"2024-07-29T17:21:17.632Z","updated_at":"2025-03-10T09:32:10.121Z","avatar_url":"https://github.com/stealthcopter.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CVE-2020-28243\n\nA command injection vulnerability in SaltStack's Salt allows for privilege escalation via specially crafted process names on a minion when the master calls restartcheck. For a full writeup please see [this blog post](https://sec.stealthcopter.com/cve-2020-28243/)\n\n**Affected Versions:** All versions between 2016.3.0rc2 and 3002.2\n\n**Links:** [Mitre](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28243), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-28243)\n\n## Requirements\n\nFor this exploit to work the following are needed:\n\n- SaltStack Minion between 2016.3.0rc2 and 3002.5\n- Write/Exec access to a directory that isn't explicitly ignored by SaltStack\n- Master needs to call `restartcheck.restartcheck` on this minion to trigger the exploit\n\n## Usage\n\n```\n./exploit.sh -w PATH -c 'COMMAND'\n\n  -w PATH       writable path (and not blocked by SaltStack)\n  -c COMMAND    command to execute\n```\n\n### Screenshot\n\n![screenshot](media/screenshot1.png)\n\n### Files\n\n- exploit.sh - The exploit script to perform the privilege escalation.\n- helper.c - Helper C program that will create the file handler for us, this could probably be replaced with a python or bash script. This file will be automatically generated by the exploit script. \n\n### Static Binaries\nWhen gcc is not available to compile the helper binary on the target machine, you can compile it on your machine and copy the binary over. \n\n```\ngcc helper.c -o ./helper -static\n# Or for 32 bit: \ngcc helper.c -o ./helper -m32 -static  \n```\n\nAlternatively static binaries have been provided in this repo that you can use in the `static` folder.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstealthcopter%2FCVE-2020-28243","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstealthcopter%2FCVE-2020-28243","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstealthcopter%2FCVE-2020-28243/lists"}