Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add check for prometheus pprof endpoints #19752

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add check for prometheus pprof endpoints #19752

wants to merge 1 commit into from
+24 −2

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Dec 19, 2024

Fix #19728

Adds a check for the two prometheus modules to check for the newly documented /debug/pprof/ endpoint that can have an information disclosure and DoS.

Verification

  • Use docker images as is noted in the previous documents, :lastest still works for both.
  • use modules/auxiliary/gather/prometheus_node_exporter_gather
  • run
  • Verify the last line mentions finding the endpoint
  • use modules/auxiliary/gather/prometheus_api_gather
  • run
  • Verify the last line mentions finding the endpoint

@bcoles
Copy link
Contributor

bcoles commented Dec 28, 2024

As the checks for /debug/pprof/ are located at the end of the run method, any failure during information gathering will cause these checks to be skipped.

Tested successfully in a known good configuration:

msf6 auxiliary(gather/prometheus_api_gather) > run
[*] Running module against 192.168.200.202
[+] Prometheus found, version: 2.37.4
[+] YAML config saved to /root/.msf4/loot/20241227205847_default_192.168.200.202_PrometheusYAML_952326.yaml
[+] JSON targets saved to /root/.msf4/loot/20241227205847_default_192.168.200.202_PrometheusJSON_671434.json
[+] Config file: prometheus.yml
[+] 192.168.200.202:9090/debug/pprof/ found, potential DoS and information disclosure. Should be manually reviewed.
[*] Auxiliary module execution completed

msf6 auxiliary(gather/prometheus_node_exporter_gather) > run
[*] Running module against 192.168.200.202
[+] Go Version: go1.19.3
[+] SELinux enabled: 0
[+] Timezone: UTC
[+] BIOS Information
================

[redacted]

[+] OS Information
==============

  Field             Value
  -----             -----
  Family            ubuntu
  Name              Ubuntu
  Pretty Name       Ubuntu 22.04 LTS
  Version           22.04 (Jammy Jellyfish)
  Version Codename  jammy
  Version ID        22.04

[+] Network Interfaces
==================

[redacted]

[+] File Systems
============

[redacted]

[+] uname Information
=================

  Field        Value
  -----        -----
  Arch         x86_64
  Domain Name  (none)
  Node Name    ubuntu22
  OS Type      Linux
  Release      6.8.0-49-generic
  Version      #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov  6 17:42:15 UTC 2

[+] 192.168.200.202:9100/debug/pprof/ found, potential DoS and information disclosure. Should be manually reviewed.
[*] Auxiliary module execution completed

Adds a check for the two prometheus modules to check for the newly documented /debug/pprof/ endpoint that can have an information disclosure and DoS.

Exposed pprof is a long known issue in node exporter (and Prometheus):

/debug/pprof is not exclusive to the Prometheus ecosystem. Information disclosure and denial of service were discussed in 2017:

As the underlying issue is due to the pprof library, and the functionality is mapped to a static route /debug/pprof/ by default, perhaps these checks would be better suited to a separate scanner module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Check and Expand Prometheus Module
2 participants
@h00die @bcoles