BadSalt (Adversarial DevOps)
SaltStack is robust configuration management utility used by many to achieve DevOps related initiatives in their organizations. Thanks to its open source model, SaltStack can be used by both hobbyist, hackers, and corporations alike. Like any open source tool suite out there, that also means individuals with adversarial intent, be it professional, or malicious, can also take advantage of this tool. In its most simple case, SaltStack can be used by an adversary as a simple Command and Control server (C2 server). However, if SaltStack is used as intended, an educated adversary can easily turn salt “bad” in more ways than simple command and control.
By re-configuring and automating basic settings within the Salt Master and Salt Minion configurations, it is easy to deploy SaltStack across many systems for any scenario. Coupling this ease of deployment with a basic understanding of configuration management, and scripted stagers, the result is a powerful post-exploitation framework with a built in C2 server, that is simply just SaltStack, but in use by an adversary. There are many benefits for using such a tool suite from an adversarial perspective such as, easily bypassing AV with trusted Salt Minions, and taking advantage of the desired state configurations to build out robust, scalable, post exploitation persistence modules.
Part of the research conducted was not just on how an adversary might use SaltStack, but also on how they might target a SaltStack environment. Man in the middle attacks are a concerning attack vector against Salt Minions at the time of this research. SaltStack has strong protections against this, but they are not enabled by default due to the need of manually distributing a unique public key. It is up to the individual(s) deploying SaltStack to be sure they enabled the proper security features to be safe from these attacks. Fortunately, SaltStack does have a few compensating controls that make this less likely after a successful deployment, but it is important that all SaltStack users are made aware of the importance and impact that just one particular setting can have on their infrastructure. Fortunately methods of detecting this activity are clear and well documented, but unfortunately a successful attack usually means root access on the target which could result in an adversary clearing their tracks. This could make it difficult to perform root cause analysis unless network traffic was analyzed at the time of the event.
The overall goal of this research is to show how advances in tools for perfectly legitimate Information Technology initiatives, like DevOps, can be turned into sophisticated tool suites for attackers. In true hacker spirit, this technology can be used for completely unintended purposes. This presentation will provide the insight to how SaltStack could be attacked or used in an adversarial context, and also how those attacks or uses could be detected and prevented.
About Casey Erdmann: Casey Erdmann, also known as 3ndG4me by his CTF team mates and online social communities, is an avid offensive security nerd. Casey is 23 years old, and has a love for CTFs and application security. He is the co-founder of DC706, and is active in his local computer security community. Casey has been responsible for implementing infrastructure for local high-school CTF competitions, and coaching his local university’s SECCDC team. Casey is also responsible for developing the OpenVPN Connect module for the WiFi Pineapple, as well as Propane King of the Hill, a NetKotH rewrite inspired by members of DC 404. When he isn’t writing neat tools, or reaching out to his local community, Casey spends about 90% of his free time researching the latest offensive security news/techniques and playing CTFs trying to “get good”, with the other 10% being writing music, playing video games, or optional sleep. Twitter: @3ndG4me_