Giters

Chocapikk / CVE-2023-28432

Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Minio Environment Variables Exploit (CVE-2023-28432)

Overview

Minio is a Multi-Cloud Object Storage framework. In specific versions of the framework, specifically those deployed in clusters starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, there is a significant vulnerability where Minio returns all environment variables. This includes critical data such as MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, leading to a potential information disclosure. All users of the distributed deployment are affected.

CVE Identifier: CVE-2023-28432
Severity: HIGH (Base Score: 7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

For more detailed information, please refer to the official NIST page: CVE-2023-28432.

Pre-requisites

To exploit this vulnerability using the provided code:

  1. You should have Python installed in your environment.

  2. Ensure all dependencies are installed from the requirements.txt file. This can be done with the command:

    pip install -r requirements.txt

  3. If you want to leverage Leakix for URL discovery, ensure you have a PRO account with Leakix, as basic users cannot access the bulk feature and MinioPlugin. Furthermore, configure the script with your Leakix API key.

Usage

To use the exploit script:

  1. If you want to check a single URL:

    python exploit_script.py -u [URL_TO_CHECK]

  2. If you have a list of URLs you want to check, save them in a file (one URL per line) and use:

    python exploit_script.py -f [PATH_TO_FILE]

  3. If you want to fetch URLs based on leaks from Leakix:

    python exploit_script.py --leakpy

    Note: Ensure your Leakix API key is configured correctly in the script if you wish to use this feature.

  4. To save the results to an output file:

    python exploit_script.py [OTHER_ARGUMENTS] -o [OUTPUT_FILE_PATH]

  5. For verbose mode (provides more detailed information on the console):

    python exploit_script.py [OTHER_ARGUMENTS] --verbose

Caution

Remember that scanning and exploiting servers without permission is illegal. Only use this tool on systems you own or have explicit permission to test.

Recommendations

All Minio users affected by this vulnerability are advised to upgrade to RELEASE.2023-03-20T20-16-18Z or later to resolve the issue.

About

Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables.

Languages

Language:Python 100.0%