From 9a740736a4ced80663bf3528ea61a1a6a4a136c5 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Wed, 3 Apr 2019 21:16:19 +0200 Subject: [PATCH] fix privilege escalation against inter-node communication (#7474) This commit fixes another privilege escalation issue abusing the inter-node communication of distributed servers to obtain/modify the server configuration. The inter-node communication is authenticated using JWT-Tokens. Further, IAM users accessing the cluster via the web UI also get a JWT token and the browser will add this "user" JWT token to each the request. Now, a user can extract that JWT token an can craft HTTP POST requests for the inter-node communication API endpoint. Since the server accepts ANY valid JWT token it also accepts inter-node commands from an authenticated user such that the user can execute arbitrary commands bypassing the IAM policy engine and impersonate other users, change its own IAM policy or extract the admin access/secret key. This is fixed by only accepting "admin" JWT tokens (tokens containing the admin access key - and therefore were generated with the admin secret key). Consequently, only the admin user can execute such inter-node commands. --- cmd/storage-rest-server.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cmd/storage-rest-server.go b/cmd/storage-rest-server.go index 0eb180008..e60cba145 100644 --- a/cmd/storage-rest-server.go +++ b/cmd/storage-rest-server.go @@ -49,9 +49,14 @@ func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) // Authenticates storage client's requests and validates for skewed time. func storageServerRequestValidate(r *http.Request) error { - if _, _, err := webRequestAuthenticate(r); err != nil { + _, owner, err := webRequestAuthenticate(r) + if err != nil { return err } + if !owner { // Disable access for non-admin users. + return errAuthentication + } + requestTimeStr := r.Header.Get("X-Minio-Time") requestTime, err := time.Parse(time.RFC3339, requestTimeStr) if err != nil {