Skip to content

Commit

Permalink
add check for prometheus pprof endpoints
Browse files Browse the repository at this point in the history
  • Loading branch information
h00die committed Dec 19, 2024
1 parent 227143e commit 78984e4
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 2 deletions.
13 changes: 12 additions & 1 deletion modules/auxiliary/gather/prometheus_api_gather.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ def initialize(info = {})
'h00die'
],
'References' => [
['URL', 'https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/']
['URL', 'https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/'],
['URL', 'https://www.aquasec.com/blog/300000-prometheus-servers-and-exporters-exposed-to-dos-attacks/']
],

'Targets' => [
Expand Down Expand Up @@ -145,6 +146,16 @@ def run
json = res.get_json_document
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to parse JSON document") unless json
print_good("Config file: #{json.dig('data', 'config.file')}") if json.dig('data', 'config.file')

# check for pprof
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'debug', 'pprof/'), # include trailing /
'method' => 'GET'
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response from server (response code #{res.code})") unless res.code == 200

print_good("#{peer}#{target_uri.path}debug/pprof/ found, potential DoS and information disclosure. Should be manually reviewed.") if res.body.include?('Profile Descriptions')
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
Expand Down
13 changes: 12 additions & 1 deletion modules/auxiliary/gather/prometheus_node_exporter_gather.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ def initialize(info = {})
],
'References' => [
['URL', 'https://github.com/prometheus/node_exporter'],
['URL', 'https://sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu/']
['URL', 'https://sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu/'],
['URL', 'https://www.aquasec.com/blog/300000-prometheus-servers-and-exporters-exposed-to-dos-attacks/']
],

'Targets' => [
Expand Down Expand Up @@ -308,6 +309,16 @@ def run
].each do |table|
print_good(table.to_s) if !table.rows.empty?
end

# check for pprof
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'debug', 'pprof/'), # include trailing /
'method' => 'GET'
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response from server (response code #{res.code})") unless res.code == 200

print_good("#{peer}#{target_uri.path}debug/pprof/ found, potential DoS and information disclosure. Should be manually reviewed.") if res.body.include?('Profile Descriptions')
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
Expand Down

0 comments on commit 78984e4

Please sign in to comment.