search

AbelChe / evil_minio

EXP for CVE-2023-28434 MinIO unauthorized to RCE
GNU Affero General Public License v3.0
306 stars 38 forks source link

缺失minisig文件 #1

Closed ainrm closed 1 year ago

ainrm commented 1 year ago

mc: Unable to update the server. signature loading failed for http://xxx:9999//minio.RELEASE.2023-03-22T06-36-24Z.minisig with 404 File not found

师傅复现过程遇到过这个问题吗,缺失minisig文件

AbelChe commented 1 year ago

你是docker启动的环境吧,docker环境在默认情况下存在MINIO_UPDATE_MINISIGN_PUBKEY环境变量 https://github.com/minio/minio/blob/4c5edacae22bc50f4274eafd6223f1ccc7a6208c/Dockerfile.release#L20

docker环境在默认情况下是无法RCE的,需要清除这个环境变量,比如在docker-compose.yml中加入

  environment:
    MINIO_UPDATE_MINISIGN_PUBKEY:

在没有该值的漏洞版本的情况下,可以绕过完整性检查,也就不会请求.minisig文件