search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
9.34k stars 2.65k forks source link

False negatives in Prometheus templates #3204

Closed alph4byt3 closed 2 years ago

alph4byt3 commented 2 years ago

Template file:

All related Prometheus templates, namely:

https://github.com/projectdiscovery/nuclei-templates/blob/master/exposed-panels/prometheus-exposed-panel.yaml https://github.com/projectdiscovery/nuclei-templates/blob/master/exposures/configs/prometheus-targets-endpoint.yaml https://github.com/projectdiscovery/nuclei-templates/blob/master/exposures/configs/prometheus-flags-endpoint.yaml https://github.com/projectdiscovery/nuclei-templates/blob/master/exposures/configs/prometheus-config-endpoint.yaml

Description

If we take a look at https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/, you will notice that a Shodan search query is given to find exposed Prometheus panels http.favicon.hash:-1399433489

After I did some searching around, I found that there are a lot of panels being hosted on port 9090 as well.

Due to each template not having a request for port 9090, it can miss panels that are being hosted on that port, for example:

I modified the following template to include the check for port 9090 as well...

id: prometheus-config-endpoint

info:
  name: Prometheus config API endpoint
  author: geeknik
  severity: info
  description: The config endpoint returns the loaded Prometheus configuration file. This file also contains addresses of targets and alerting/discovery services alongside the credentials required to access them. Usually, Prometheus replaces the passwords in the credentials config configuration field with the placeholder <secret> (although this still leaks the username).
  reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
  tags: prometheus,exposure

requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/status/config"
      - "{{BaseURL}}:9090/api/v1/status/config"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - 'job_name:'
          - '{"status":"success","data":'
          - 'targets:'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

I took some endpoints exposed on Shodan and tested them and it returned back results while it didn't before I modified the template

Screenshot 2021-11-25 152315

Here's another example with the panel template:

Screenshot 2021-11-25 153620

I also noticed that some URLs can include the prometheus word so it might be a good idea to add that path as well as seen below

Screenshot 2021-11-25 152632

Something else I'd like to mention as well, wouldn't it be better to mark these templates as a different severity. The reason for this is that if we look at the article https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/ carefully, it explains in detail what kind of sensitive information can be leaked in misconfigured instances including cloud service metadata.

I was actually creating my own Prometheus templates to share and when I saw that they already existed, I went to check on them and saw they aren't doing checks on port 9090 which is what brought me here.

I hope this helps

ehsandeep commented 2 years ago

@alph4byt3 thanks for pointing this out, but this is something we have discussed few times in GH issue or Discord in the past, if you are running nuclei, it is expected you are running nuclei on port scanned probed URLs, i.e subfinder | dnsx | naabu | httpx | nuclei which will have https://example.com:9090 if it exists as input and the templates will be matched against those hosts as well.

alph4byt3 commented 2 years ago

Hi @ehsandeep, thanks for the reply. I was wondering though what about doing mass scanning on say 5k-10k URLs? Maybe it's just me then because I only probe for ports 80 and 443 across 150k+ subdomains. But I understand what you mean, I guess I'll make a copy of the templates like this and modify them to my needs, in this case adding the port.

ehsandeep commented 2 years ago

@alph4byt3 closing as no action needed here, about severity, info may not represent the correct impact, but as we can read in the blog, the impact is subject to change depending on the information available in the response, so we can not pre-evaluate and use either of the available severity, I've moved those templates at https://github.com/projectdiscovery/nuclei-templates/tree/master/misconfiguration/prometheus for the visibility, thanks again for flagging this.