lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <45ca36ec-03ba-4c8e-9d1d-52d4417817a7@riseup.net>
Date: Wed, 24 Jan 2024 13:15:03 +0100
From: psy <epsylon@...eup.net>
To: fulldisclosure@...lists.org
Subject: [FD] PrommetriX - (Prometheus Metrics Leaker) released!

Hi FD,

I am glad to present this script:

   - Prommetrix

I think that building a tool that quite facilitates the scraping work of 
the data presented by the Prometheus metrics, perhaps it is possible to 
make the team that develops it becomes aware of the existing need to 
protect them from their core.

23/01/2024:

  - Google (search engine): ~ 1832 servers with exposed metrics
  - Shodan ~ 7320 servers with exposed metrics

---------

"Prommetrix is a free software tool to obtain relevant information from 
the instances of 'Node Exporter' executed by 'Prometheus'."

---------

Prometheus is an open-source, metrics-based event monitoring and 
alerting solution for cloud applications. It is used by nearly 800 
cloud-native organizations including Uber, Slack, Robinhood, and more. 
By scraping real-time metrics from various endpoints, Prometheus allows 
easy observation of a system’s state in addition to observation of 
hardware and software metrics such as memory usage, network usage and 
software-specific defined metrics (ex. number of failed login attempts 
to a web application).

     https://prometheus.io/docs/guides/node-exporter/

Since the numeric metrics captured by Prometheus are not considered 
sensitive data, Prometheus has held an understandable policy of avoiding 
built-in support for security features such as authentication and 
encryption, in order to focus on developing the monitoring-related 
features. This changed less than a year ago (Jan 2021), on the release 
of version 2.24.0 where Transport Layer Security (TLS) and basic 
authentication support were introduced.

Due to the fact that authentication and encryption support is relatively 
new, many organizations that use Prometheus haven’t yet enabled these 
features and thus many Prometheus endpoints are completely exposed to 
the Internet (e.g. endpoints that run earlier versions), leaking metric 
and label data.

---------

This vulnerabily can be described in a Pentest/Report like:

     PRM-01-001 Client: Clients leak Metrics data through unprotected 
endpoint (LOW)

"Metric data are to be collected for some services and these items need 
to implement a client-library that enables the core Prometheus service 
to scrape the data. The client- library opens a minimal HTTP server and 
exposes a route which is then registered with the core service for 
scraping. This endpoint is unauthenticated by default, which allows 
anybody who knows the URI to read the metric data. It is recommended to 
put some form of authentication in place. Only the core Prometheus 
service should be allowed to read the metric data."

---------

Prommetrix - will take advantage of these metrics to obtain relevant 
information from the Prometheus instance, as well as, of the machine in 
which it is running.

---------

Dork (using default port):

   - inurl:":9100/metrics"

---------

PoC:

1- Let's take as example a random machine with Prometheus metrics 
exposed and using default port.

2- Execution: python3 prommetrix.py --target XXX.XXX.XXX.XXX

3- Output (note that results will be variable depending of the instance):

[INFO] 'Prometheus' detected at: XXX.XXX.XXX.XXX <-> EXPOSING!

   - Metrics path:
      - URL: http://XXX.XXX.XXX.XXX:9100/metrics

   - 'Go' (environment):
      - Version: go1.21.4

   - 'Node Export' (build):
      - Branch: HEAD
      - Version: go1.21.4

   - CPUs (total):
      - 1

   - SYSTEM:
      - Vendor: DigitalOcean

   - BIOS:
      - Date: 12/12/2017
      - Release: 1.0
      - Version: 20171212

   - OS:
      - ID: ubuntu
      - ID Like: debian
      - Name: Ubuntu 22.04.3 LTS
      - Version codename: jammy
      - Version ID: 22.04

   - UNAME:
      - Domainname: (none)
      - Machine: x86_64
      - Nodename: prometheus-demo
      - Release: 5.15.0-89-generic
      - Sysname: Linux
      - Version: 99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023

   - TIMEZONE:
      - Location: UTC

   - SELINUX:
      - Status: OFF

   - Info of /sys/block/<block_device>:
      - vda

   - Info of node_filesystem_files:
      - /dev/vda1",fstype="ext4",mountpoint="/"
      - /dev/vda15",fstype="vfat",mountpoint="/boot/efi"
      - tmpfs",fstype="tmpfs",mountpoint="/run"
      - tmpfs",fstype="tmpfs",mountpoint="/run/lock"

   - NETWORK devices:
      - eth0
      - lo

   [SNIPPED]

4- You have enough interesting information to perform other new types of 
attack (ex: via CVE).

---------

Screenshoots (examples):

- https://03c8.net/images/prommetrix_banner.png

- https://03c8.net/images/prommetrix_poc.png

- https://03c8.net/images/prommetrix_poc2.png

---------

Code/Packages:

* [source]:

   - https://code.03c8.net/epsylon/prommetrix

* [mirror1]:

   - https://github.com/epsylon/prommetrix

---------

Happy leaking!

Download attachment "OpenPGP_0xB3C1FD78B8AC3776.asc" of type "application/pgp-keys" (3075 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ