Land rapid7#19752, Prometheus pprof endpoint check

msutovsky-r7 · msutovsky-r7 · commit 99e95dd760d2 · 2025-01-16T10:50:58.000+01:00
diff --git a/modules/auxiliary/gather/prometheus_api_gather.rb b/modules/auxiliary/gather/prometheus_api_gather.rb
@@ -31,7 +31,8 @@ def initialize(info = {})
           'h00die'
         ],
         'References' => [
-          ['URL', 'https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/']
+          ['URL', 'https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/'],
+          ['URL', 'https://www.aquasec.com/blog/300000-prometheus-servers-and-exporters-exposed-to-dos-attacks/']
         ],
 
         'Targets' => [
@@ -145,6 +146,14 @@ def run
     json = res.get_json_document
     fail_with(Failure::UnexpectedReply, "#{peer} - Unable to parse JSON document") unless json
     print_good("Config file: #{json.dig('data', 'config.file')}") if json.dig('data', 'config.file')
+
+    # check for pprof
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'debug', 'pprof/'), # include trailing /
+      'method' => 'GET'
+    )
+    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
+    print_good("#{peer}#{target_uri.path}debug/pprof/ found, potential DoS and information disclosure. Should be manually reviewed.") if res.code == 200 && res.body.include?('Profile Descriptions')
   rescue ::Rex::ConnectionError
     fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
   end
diff --git a/modules/auxiliary/gather/prometheus_node_exporter_gather.rb b/modules/auxiliary/gather/prometheus_node_exporter_gather.rb
@@ -24,7 +24,8 @@ def initialize(info = {})
         ],
         'References' => [
           ['URL', 'https://github.com/prometheus/node_exporter'],
-          ['URL', 'https://sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu/']
+          ['URL', 'https://sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu/'],
+          ['URL', 'https://www.aquasec.com/blog/300000-prometheus-servers-and-exporters-exposed-to-dos-attacks/']
         ],
 
         'Targets' => [
@@ -308,6 +309,14 @@ def run
     ].each do |table|
       print_good(table.to_s) if !table.rows.empty?
     end
+
+    # check for pprof
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'debug', 'pprof/'), # include trailing /
+      'method' => 'GET'
+    )
+    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
+    print_good("#{peer}#{target_uri.path}debug/pprof/ found, potential DoS and information disclosure. Should be manually reviewed.") if res.code == 200 && res.body.include?('Profile Descriptions')
   rescue ::Rex::ConnectionError
     fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
   end
