关联漏洞
标题:
MinIO 信息泄露漏洞
(CVE-2023-28432)
描述:MinIO是美国MinIO公司的一款开源的对象存储服务器。该产品支持构建用于机器学习、分析和应用程序数据工作负载的基础架构。 MinIO 存在信息泄露漏洞,该漏洞源于在集群部署中MinIO会返回所有环境变量,导致信息泄露。
描述
Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables.
介绍
# Minio Environment Variables Exploit (CVE-2023-28432)
## Overview
Minio is a Multi-Cloud Object Storage framework. In specific versions of the framework, specifically those deployed in clusters starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, there is a significant vulnerability where Minio returns all environment variables. This includes critical data such as `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, leading to a potential information disclosure. All users of the distributed deployment are affected.
**CVE Identifier:** CVE-2023-28432
**Severity:** HIGH (Base Score: 7.5)
**Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
For more detailed information, please refer to the official NIST page: [CVE-2023-28432](https://nvd.nist.gov/vuln/detail/CVE-2023-28432).
## Pre-requisites
To exploit this vulnerability using the provided code:
1. You should have Python installed in your environment.
2. Ensure all dependencies are installed from the `requirements.txt` file. This can be done with the command:
```
pip install -r requirements.txt
```
3. If you want to leverage Leakix for URL discovery, ensure you have a PRO account with Leakix, as basic users cannot access the bulk feature and MinioPlugin. Furthermore, configure the script with your Leakix API key.
## Usage
To use the exploit script:
1. If you want to check a single URL:
```
python exploit_script.py -u [URL_TO_CHECK]
```
2. If you have a list of URLs you want to check, save them in a file (one URL per line) and use:
```
python exploit_script.py -f [PATH_TO_FILE]
```
3. If you want to fetch URLs based on leaks from Leakix:
```
python exploit_script.py --leakpy
```
**Note:** Ensure your Leakix API key is configured correctly in the script if you wish to use this feature.
4. To save the results to an output file:
```
python exploit_script.py [OTHER_ARGUMENTS] -o [OUTPUT_FILE_PATH]
```
5. For verbose mode (provides more detailed information on the console):
```
python exploit_script.py [OTHER_ARGUMENTS] --verbose
```
## Caution
Remember that scanning and exploiting servers without permission is illegal. Only use this tool on systems you own or have explicit permission to test.
## Recommendations
All Minio users affected by this vulnerability are advised to upgrade to RELEASE.2023-03-20T20-16-18Z or later to resolve the issue.
文件快照
[4.0K] /data/pocs/b5846bbccb66858f2f5b3d7cc1adc764eae1746a
├── [5.4K] exploit.py
├── [2.4K] README.md
└── [ 83] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。