add check for prometheus pprof endpoints

[h00die]

Fix #19728

Adds a check for the two prometheus modules to check for the newly documented /debug/pprof/ endpoint that can have an information disclosure and DoS.

Verification

• Use docker images as is noted in the previous documents, :lastest still works for both.
• use modules/auxiliary/gather/prometheus_node_exporter_gather
• run
• Verify the last line mentions finding the endpoint
• use modules/auxiliary/gather/prometheus_api_gather
• run
• Verify the last line mentions finding the endpoint

[bcoles]

As the checks for /debug/pprof/ are located at the end of the run method, any failure during information gathering will cause these checks to be skipped.

Tested successfully in a known good configuration:

msf6 auxiliary(gather/prometheus_api_gather) > run
[*] Running module against 192.168.200.202
[+] Prometheus found, version: 2.37.4
[+] YAML config saved to /root/.msf4/loot/20241227205847_default_192.168.200.202_PrometheusYAML_952326.yaml
[+] JSON targets saved to /root/.msf4/loot/20241227205847_default_192.168.200.202_PrometheusJSON_671434.json
[+] Config file: prometheus.yml
[+] 192.168.200.202:9090/debug/pprof/ found, potential DoS and information disclosure. Should be manually reviewed.
[*] Auxiliary module execution completed

msf6 auxiliary(gather/prometheus_node_exporter_gather) > run
[*] Running module against 192.168.200.202
[+] Go Version: go1.19.3
[+] SELinux enabled: 0
[+] Timezone: UTC
[+] BIOS Information
================

[redacted]

[+] OS Information
==============

  Field             Value
  -----             -----
  Family            ubuntu
  Name              Ubuntu
  Pretty Name       Ubuntu 22.04 LTS
  Version           22.04 (Jammy Jellyfish)
  Version Codename  jammy
  Version ID        22.04

[+] Network Interfaces
==================

[redacted]

[+] File Systems
============

[redacted]

[+] uname Information
=================

  Field        Value
  -----        -----
  Arch         x86_64
  Domain Name  (none)
  Node Name    ubuntu22
  OS Type      Linux
  Release      6.8.0-49-generic
  Version      #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov  6 17:42:15 UTC 2

[+] 192.168.200.202:9100/debug/pprof/ found, potential DoS and information disclosure. Should be manually reviewed.
[*] Auxiliary module execution completed

Adds a check for the two prometheus modules to check for the newly documented /debug/pprof/ endpoint that can have an information disclosure and DoS.

Exposed pprof is a long known issue in node exporter (and Prometheus):

• https://prometheus.io/assets/downloads/2020-07-21--cure53_security_audit_node_exporter.pdf

/debug/pprof is not exclusive to the Prometheus ecosystem. Information disclosure and denial of service were discussed in 2017:

• http://mmcloughlin.com/posts/your-pprof-is-showing

As the underlying issue is due to the pprof library, and the functionality is mapped to a static route /debug/pprof/ by default, perhaps these checks would be better suited to a separate scanner module.

[msutovsky-r7]

Hi @h00die, the code seems okay, only with one small detail. If there's PoC for denial of service, it might be good to consider making separate module with this PoC as well. Is the underlying issue for Prometheus DoS/Info Disclosure same as for other Kubernetes systems?

[msutovsky-r7]

I don't see any issues with the code.

[msutovsky-r7]

Release Notes

This enhancement adds checks for presence of pprof for Prometheus. It can detect potential denial-of-service or information leakage associated with the pprof package.