diff --git a/cves/2020/CVE-2020-7943.yaml b/cves/2020/CVE-2020-7943.yaml new file mode 100644 index 00000000000..1f5454db70d --- /dev/null +++ b/cves/2020/CVE-2020-7943.yaml @@ -0,0 +1,38 @@ +id: CVE-2020-7943 + +info: + name: Puppet Server and PuppetDB sensitive information disclosure + severity: high + author: c-sh0 + description: Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information + reference: + - https://puppet.com/security/cve/CVE-2020-7943 + - https://nvd.nist.gov/vuln/detail/CVE-2020-7943 + - https://tickets.puppetlabs.com/browse/PDB-4876 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2020-7943 + cwe-id: CWE-276 + tags: cve,cve2020,puppet,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/metrics/v1/mbeans" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - "application/json" + + - type: word + part: body + words: + - "trapperkeeper" diff --git a/exposed-panels/puppetboard-panel.yaml b/exposed-panels/puppetboard-panel.yaml new file mode 100644 index 00000000000..756a13079d7 --- /dev/null +++ b/exposed-panels/puppetboard-panel.yaml @@ -0,0 +1,22 @@ +id: puppetboard-panel + +info: + name: Puppetlabs Puppetboard + author: c-sh0 + severity: info + metadata: + shodan-query: http.title:"Puppetboard" + tags: panel,puppet,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + max-redirects: 2 + matchers: + - type: word + part: body + words: + - "Puppetboard" \ No newline at end of file diff --git a/technologies/puppetdb-detect.yaml b/technologies/puppetdb-detect.yaml new file mode 100644 index 00000000000..b5d55d64bf4 --- /dev/null +++ b/technologies/puppetdb-detect.yaml @@ -0,0 +1,34 @@ +id: puppetdb-detect + +info: + name: PuppetDB Detection + author: c-sh0 + severity: info + reference: https://puppet.com/docs/puppetdb/7/api/meta/v1/version.html#pdbmetav1version + tags: puppet,tech,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/pdb/meta/v1/version" + + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - 'application/json' + + - type: word + part: body + words: + - '"version"' + + extractors: + - type: regex + group: 1 + regex: + - '"version"\s:\s"([0-9.]+)"' diff --git a/technologies/puppetserver-detect.yaml b/technologies/puppetserver-detect.yaml new file mode 100644 index 00000000000..08ee862fbb9 --- /dev/null +++ b/technologies/puppetserver-detect.yaml @@ -0,0 +1,35 @@ +id: puppetserver-detect + +info: + name: Puppetserver Detection + author: c-sh0 + severity: info + reference: https://insinuator.net/2020/09/puppet-assessment-techniques/ + tags: tech,puppet,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/puppet-ca/v1/certificate_request/{{randstr}}" + + matchers-condition: and + matchers: + - type: status + status: + - 404 + + - type: word + part: header + words: + - "x-puppet-version" + case-insensitive: true + + - type: word + part: body + words: + - "{{randstr}}" + + extractors: + - type: kval + kval: + - x_puppet_version \ No newline at end of file