MinIO verify interface sensitive information disclosure vulnerability analysis (CVE-2023-28432)

MinIO verify interface sensitive information disclosure vulnerability

Introduction

Vulnerability description: MinIO is an open source object storage service that is compatible with the Amazon S3 API and can be used in private or public clouds. MinIO is a high-performance, high-availability distributed storage system that can store large amounts of data and provide high-speed read and write capabilities for data. MinIO adopts a distributed architecture and can run on multiple nodes to realize distributed storage and processing of data.

Scope of impact: There is a sensitive information leakage vulnerability in the MinIO verify interface. An attacker can read sensitive system information by constructing a special URL address.

Exploit payload

POST /minio/bootstrap/v1/verify HTTP/1.1

Vulnerability detection method

HTTP request:

GET /api/v1/check-version

HTTP response:

HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Date: Fri, 24 Mar 2023 06:26:01 GMT
Server: MinIO Console
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
Content-Length: 69

{
    "latest_version": "minio/minio:RELEASE.2023-03-22T06-36-24Z"
}

When the value of latest_version<RELEASE.2023-03-20T20-16-18Z, there is a vulnerability.

Vulnerable code analysis

First, according to the attack load, we see that bootstrap is being called. According to the loading module in main.go, the code logic is in minio/cmd.

Then, by checking the application route, it is known that the file with the vulnerability is bootstrap-peer-server.go.

Find where HTTP requests can be accepted in the file. There are only two methods for accepting HTTP requests,
which are Line130 and Line132.

According to the verify in the attack payload, our entrance is at Line132. Let's see what the program does at the entrance?
Line133, the code creates a new context object for passing HTTP requests and responses.
Line135, used to output error log.
Line134 is to obtain the server system configuration.

Next, we need to see what getServerSystemCfg() does. The environment variables are obtained in the getServerSystemCfg() method, where envValues ​​obtains the value of skipEnvs[envK] by traversal.

What is included in skipEnvs? It contains sensitive information such as MINIO_CERT_PASSWD

The value of MINIO_CERT_PASSWD comes from buildscripts\upgrade-tests\minio.env, where account password information is stored in plain text.

In the end, due to the lack of authentication in logic, an unauthorized access vulnerability is caused.