Minio vulnerable to Privilege Escalation on Windows via Path separator manipulation

2023-09-0618:43:13

Google

osv.dev

minio security vulnerability

path separator manipulation

windows privilege escalation

object placement

admin user creation

patch information

code reference

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

47.8%

JSON

Impact

All users on Windows are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across
buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user.

Patches

There are two patches that fix this problem comprehensively

commit b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc
Author: Harshavardhana &lt;harsha@minio.io&gt;
Date:   Mon Mar 20 13:16:00 2023 -0700

    reject object names with '\' on windows (#16856)

commit 8d6558b23649f613414c8527b58973fbdfa4d1b8
Author: Harshavardhana &lt;harsha@minio.io&gt;
Date:   Mon Mar 20 00:35:25 2023 -0700

    fix: convert '\' to '/' on windows (#16852)

Workarounds

There are no known workarounds

References

The vulnerable code:

// minio/cmd/generic-handlers.go
// Check if the incoming path has bad path components,
// such as ".." and "."
// SlashSeparator -&gt; /
// dotdotComponent -&gt; ..
// dotComponent -&gt; .
func hasBadPathComponent(path string) bool {
  path = strings.TrimSpace(path)
  for _, p := range strings.Split(path, SlashSeparator) {
    switch strings.TrimSpace(p) {
    case dotdotComponent:
      return true
    case dotComponent:
      return true
    }
  }
  return false
}