- Status Closed
-
Assigned To
cbay - Private
Opened by freetb - 15.02.2024
Last edited by cbay - 16.02.2024
FS#30 - Information Disclosure on cAdvisor software via Origin IP
Description
I discovered that cAdvisor, a container monitoring and management tool, is exposed to the public internet. Using OSINT techniques, this endpoint was discovered on one of the company servers. This information disclosure could potentially be used by attackers for various malicious purposes, such as mapping vulnerable targets or launching further attacks.
Proof-of-Concept
To demonstrate this issue, we can access the cAdvisor web interface via the URLs;
http://185.31.41.177:8000/containers/ http://185.31.41.177:8000/metrics/ http://185.31.41.177:8000/api/v1.0/machine http://185.31.41.177:8000/containers/user.slice http://185.31.41.177:8000/containers/system.slice
Browse through the URIs for more information on processes running, users involved, resource usage, container names e.t.c.
Mitigation
Restrict access to cAdvisor. Limit access to the cAdvisor interface to trusted users or networks only.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That IP address is a sandbox (as you can guess by looking up the reverse hostname) which is being used for tests. There's nothing valuable you can get from it. In particular, no actual client data or information is on that server.
Kind regards,
Cyril