Summary

Details

• Vulnerable code: rustfs/src/auth.rs:289-304 sets remote addr from X-Forwarded-For/X-Real-Ip, then inserts SourceIp via get source ip raw, with no trust boundary or proxy validation:
  • let remote addr = header.get("x-forwarded-for").and then(...).or else(|| header.get("x-real-ip")...).unwrap or("127.0.0.1");
  • args.insert("SourceIp", vec![get source ip raw(header, remote addr)]);
• This value feeds IAM/bucket policy evaluation in rustfs/src/storage/access.rs (authorization path), so any request that forges the header can meet aws:SourceIp conditions.
• No authentication is required beyond the request itself; the header is taken at face value even on direct connections.

PoC

1. Start RustFS with two local volumes, e.g.:

   mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2
   RUSTFS ACCESS KEY=devadmin RUSTFS SECRET KEY=devadmin 
    cargo run --bin rustfs -- --address 0.0.0.0:9000 
    /tmp/rustfs-data1 /tmp/rustfs-data2

2. From rustfs-auth-trusted-ip-header-spoofing-poc/, run:

   ENDPOINT=http://127.0.0.1:9000 make run

• Creates bucket rustfs-trusted-ip-poc.
• Applies a bucket policy allowing s3:ListBucket only from 10.0.0.5/32 (Principal: {"AWS":["*"]}, Resource array).
• Sends three unauthenticated ListBucket calls:
  • Baseline (no spoof) → HTTP 403.
  • Spoofed X-Forwarded-For: 10.0.0.5 → HTTP 200 (policy bypass).
  • Spoofed X-Forwarded-For: 1.2.3.4 → HTTP 403.
• Responses saved to poc-baseline.xml, poc-spoofed.xml, poc-deny.xml.

Impact

• Vulnerability type: Authorization bypass of IP-allowlist (aws:SourceIp) via header spoofing.
• Who is impacted: Any deployment relying on aws:SourceIp in IAM/bucket policies for S3 operations. Attackers with network reach to RustFS can forge forwarded-IP headers to gain list/read/write where IP restrictions were meant to block them.

Credits