Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: post policy request security bypass #16849

Merged
merged 1 commit into from Mar 20, 2023
Merged

Conversation

donatello
Copy link
Member

Description

Due to inconstency between the check for routing post policy requests and for preventing access to reserved buckets, it is possible to bypass restrictions and write objects directly into system buckets allowing privilege escalation.

Motivation and Context

How to test this PR?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Unit tests added/updated
  • Internal documentation updated
  • Create a documentation update request here

Due to inconstency between the check for routing post policy requests
and for preventing access to reserved buckets, it is possible to bypass
restrictions and write objects directly into system buckets allowing
privilege escalation.
@harshavardhana
Copy link
Member

@donatello do you have a reproducer for this?

@minio-trusted
Copy link
Contributor

Mint Automation

Test Result
mint-erasure.sh ✔️
mint-compress-encrypt-dist-erasure.sh more...
mint-pools.sh more...

16849-cbd5828/mint-compress-encrypt-dist-erasure.sh.log:

Running with
SERVER_ENDPOINT:      15.15.15.8:30399
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0
RUN_ON_FAIL:          0

To get logs, run 'docker cp 2f8b3fe782f0:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 9 seconds
(2/14) Running aws-sdk-java tests ... done in 1 seconds
(3/14) Running aws-sdk-php tests ... done in 43 seconds
(4/14) Running aws-sdk-ruby tests ... done in 9 seconds
(5/14) Running awscli tests ... done in 1 minutes and 15 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 20 seconds
(8/14) Running minio-go tests ... done in 54 seconds
(9/14) Running minio-java tests ... FAILED in 5 minutes and 14 seconds
{
  "name": "minio-java",
  "function": "listenBucketNotification()",
  "args": "prefix=prefix, suffix=suffix, events={\"s3:ObjectCreated:*\", \"s3:ObjectAccessed:*\"}",
  "duration": 300072,
  "status": "FAIL",
  "error": "java.net.SocketTimeoutException: timeout >>> [okio.SocketAsyncTimeout.newTimeoutException(JvmOkio.kt:147), okio.AsyncTimeout.access$newTimeoutException(AsyncTimeout.kt:158), okio.AsyncTimeout$source$1.read(AsyncTimeout.kt:337), okio.RealBufferedSource.indexOf(RealBufferedSource.kt:427), okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.kt:320), okhttp3.internal.http1.HeadersReader.readLine(HeadersReader.kt:29), okhttp3.internal.http1.Http1ExchangeCodec.readResponseHeaders(Http1ExchangeCodec.kt:178), okhttp3.internal.connection.Exchange.readResponseHeaders(Exchange.kt:106), okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.kt:79), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:34), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201), okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:517), java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128), java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628), java.base/java.lang.Thread.run(Thread.java:829)]"
}
(9/14) Running minio-js tests ... FAILED in 1 minutes and 53 seconds
{
  "name": "minio-js",
  "function": "\"after all\" hook in \"functional tests\"",
  "duration": 10,
  "status": "FAIL",
  "error": "S3Error: The bucket you tried to delete is not empty at Object.parseError (node_modules/minio/dist/main/xml-parsers.js:71:11) at /mint/run/core/minio-js/node_modules/minio/dist/main/transformers.js:166:22 at DestroyableTransform._flush (node_modules/minio/dist/main/transformers.js:90:10) at DestroyableTransform.prefinish (node_modules/readable-stream/lib/_stream_transform.js:129:10) at prefinish (node_modules/readable-stream/lib/_stream_writable.js:611:14) at finishMaybe (node_modules/readable-stream/lib/_stream_writable.js:620:5) at endWritable (node_modules/readable-stream/lib/_stream_writable.js:643:3) at DestroyableTransform.Writable.end (node_modules/readable-stream/lib/_stream_writable.js:571:22) at IncomingMessage.onend (internal/streams/readable.js:670:10) at endReadableNT (internal/streams/readable.js:1333:12) at processTicksAndRejections (internal/process/task_queues.js:82:21)"
}
(9/14) Running minio-py tests ... done in 2 minutes and 4 seconds
(10/14) Running s3cmd tests ... done in 16 seconds
(11/14) Running s3select tests ... done in 4 seconds
(12/14) Running versioning tests ... done in 3 minutes and 32 seconds

Executed 12 out of 14 tests successfully.

16849-cbd5828/mint-pools.sh.log:

Running with
SERVER_ENDPOINT:      15.15.15.3:30723
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0
RUN_ON_FAIL:          0

To get logs, run 'docker cp c766782a85a7:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 9 seconds
(2/14) Running aws-sdk-java tests ... done in 2 seconds
(3/14) Running aws-sdk-php tests ... done in 43 seconds
(4/14) Running aws-sdk-ruby tests ... done in 9 seconds
(5/14) Running awscli tests ... done in 1 minutes and 16 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 19 seconds
(8/14) Running minio-go tests ... done in 59 seconds
(9/14) Running minio-java tests ... FAILED in 5 minutes and 1 seconds
{
  "name": "minio-java",
  "function": "makeBucket()",
  "args": "[basic check]",
  "duration": 300092,
  "status": "FAIL",
  "error": "java.net.SocketTimeoutException: timeout >>> [okio.SocketAsyncTimeout.newTimeoutException(JvmOkio.kt:147), okio.AsyncTimeout.access$newTimeoutException(AsyncTimeout.kt:158), okio.AsyncTimeout$source$1.read(AsyncTimeout.kt:337), okio.RealBufferedSource.indexOf(RealBufferedSource.kt:427), okio.RealBufferedSource.readUtf8LineStrict(RealBufferedSource.kt:320), okhttp3.internal.http1.HeadersReader.readLine(HeadersReader.kt:29), okhttp3.internal.http1.Http1ExchangeCodec.readResponseHeaders(Http1ExchangeCodec.kt:178), okhttp3.internal.connection.Exchange.readResponseHeaders(Exchange.kt:106), okhttp3.internal.http.CallServerInterceptor.intercept(CallServerInterceptor.kt:79), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:34), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76), okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109), okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201), okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:517), java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128), java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628), java.base/java.lang.Thread.run(Thread.java:829)]"
}
(9/14) Running minio-js tests ... FAILED in 1 minutes and 59 seconds
{
  "name": "minio-js",
  "function": "\"after all\" hook in \"functional tests\"",
  "duration": 12,
  "status": "FAIL",
  "error": "S3Error: The bucket you tried to delete is not empty at Object.parseError (node_modules/minio/dist/main/xml-parsers.js:71:11) at /mint/run/core/minio-js/node_modules/minio/dist/main/transformers.js:166:22 at DestroyableTransform._flush (node_modules/minio/dist/main/transformers.js:90:10) at DestroyableTransform.prefinish (node_modules/readable-stream/lib/_stream_transform.js:129:10) at prefinish (node_modules/readable-stream/lib/_stream_writable.js:611:14) at finishMaybe (node_modules/readable-stream/lib/_stream_writable.js:620:5) at endWritable (node_modules/readable-stream/lib/_stream_writable.js:643:3) at DestroyableTransform.Writable.end (node_modules/readable-stream/lib/_stream_writable.js:571:22) at IncomingMessage.onend (internal/streams/readable.js:670:10) at endReadableNT (internal/streams/readable.js:1333:12) at processTicksAndRejections (internal/process/task_queues.js:82:21)"
}
(9/14) Running minio-py tests ... done in 2 minutes and 18 seconds
(10/14) Running s3cmd tests ... done in 17 seconds
(11/14) Running s3select tests ... done in 5 seconds
(12/14) Running versioning tests ... done in 3 minutes and 33 seconds

Executed 12 out of 14 tests successfully.

Deleting image on docker hub
Deleting image locally

@donatello
Copy link
Member Author

@donatello do you have a reproducer for this?

Yes. Will share privately.

@harshavardhana
Copy link
Member

@donatello we need to add a test here so that this is always tested.

@harshavardhana harshavardhana changed the title Fix post policy request security bypass fix: post policy request security bypass Mar 20, 2023
@harshavardhana
Copy link
Member

Taking this in, so that we can make a new release // cc @donatello

@harshavardhana harshavardhana merged commit 67f4ba1 into minio:master Mar 20, 2023
15 checks passed
@donatello donatello deleted the sec1 branch March 20, 2023 04:19
harshavardhana pushed a commit to harshavardhana/minio that referenced this pull request Mar 30, 2023
rluetzner pushed a commit to iternity-dotcom/minio that referenced this pull request May 4, 2023
This fixes security vulnerability CVE-2023-28434 where users that had
access to all resources (`arn:aws:s3:::*`) were able to put objects into
any bucket, including .minio.sys, the MinIO metabucket. By crafting
requests they would be able to escalate privileges.

As a workaround `MINIO_BROWSER=off` can be turned off, i.e. the MinIO
browser is enabled.

This is fixed upstream, but in a version that no longer supports a file
backend, which is why we backport it.

More information can be found here:

https://nvd.nist.gov/vuln/detail/CVE-2023-28434
GHSA-2pxw-r47w-4p8c
minio#16849

(cherry picked from commit 67f4ba1)
rluetzner pushed a commit to iternity-dotcom/minio that referenced this pull request May 4, 2023
This fixes security vulnerability CVE-2023-28434 where users that had
access to all resources (`arn:aws:s3:::*`) were able to put objects into
any bucket, including .minio.sys, the MinIO metabucket. By crafting
requests they would be able to escalate privileges.

As a workaround `MINIO_BROWSER=off` can be turned off, i.e. the MinIO
browser is enabled.

This is fixed upstream, but in a version that no longer supports a file
backend, which is why we backport it.

More information can be found here:

https://nvd.nist.gov/vuln/detail/CVE-2023-28434
GHSA-2pxw-r47w-4p8c
minio#16849

(cherry picked from commit 67f4ba1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants