Read Time: 5min

Found recently from our 'High Frequency Generator' we will discuss how Flower and security mispractice can leak sensitive data.

TLDR;

Misconfigured Flower Instances can be used to obtain sensitive credentials. See IOL's Indicators Of Lowz to find these.

What Is Flower ?

Flower Web Gui

Flower is a web based tool for monitoring and administrating Celery http://www.celeryproject.org/ clusters.

Flower offers Oauth and Basic Auth however neither of these are enabled by default #LoSec.

The web based GUI starts on port 5555 and gives access to workers and task information including config details.

Flower Web Gui

When browsing a worker the configuration can be viewed. Flower does a good job of redacting data such as AWS API Key and db passwords, however it does reveal data such as usernames, emails, hostnames and ports which can be useful for OSINT but isn't going to get you root or a bounty.

**Ok you said that flower does as good job of redacting data so you only have users and emails ? **

Our 'High Frequency Generator' reported flower to us as we observed a new banner but we only had limited banner info available.

For us to realistically trawl the open data we will need to do this programmatically as going through the UI is very cumbersome.

Luckily Flower also has an api - https://flower.readthedocs.io/en/latest/api.html

As we can see the endpoint offers GET /api/workers to list workers .

Information retrieved from the API include the config so it will be also easier to collate the data. Using a call to curl we can fetch some data and take a look.

curl -q http://x.x.x.x:5555/api/workers | jq '.'

As can be seen most sensitive data is redacted ( the ADMIN_EMAIL wasn't ).

      "PROJECT": {
          "KEY": "********",
          "SECRET_KEY": "********",
          "ENVIRONMENT": "local",
          "SITE_NAME": "Travel",
          "DEFAULT_FROM_EMAIL": "<Losec Redacted>@gmail.com",
          "DEBUG": true,
          "ADMIN_EMAIL": "<Losec Redacted>@gmail.com",
          "GOOGLE_PLACES_API_KEY": "********"
        },

Sifting through more data it became apparent that workers can have args supplied. This reminded us of finding credentials in docker start args so we did a good old grep through the data for args.


"args": "['{\"aws_iam_secret_key\": \"<LoSec Redacted>\", \"aws_iam_access_key\": \"<LoSec Redacted>\"}]"

Jackpot! Although Flower redacts variable password arguments are not redacted and we have aws_iam access and secret keys.

Through trawling the args we discovered the following cred types in plaintext.

  • AWS CREDS
  • POSTGRESQL CREDS
  • REDIS CREDS
  • FACEBOOK API KEY
  • SPOTIFY API KEY

We consider this to be security mis-practice as creds should never be passed as arguments in plaintext and the service should have adequate access control.

It just so happened that flower had made an attempt to redact the worker config variables but had not considered the arguments.



Remediation

  • Access Control on Flower web-ui and API (default port 5555 )
  • Avoid passing credentials in plain text to arguments

IOL's (Indicators Of Lowz)

  • Port: 5555
  • Request: curl -q http://x.x.x.x:5555/api/workers
  • Banner: "HTTP/1.1 200 OK" AND "TornadoServer"

* IOL's assist researchers, redteamers and Bounty Hunters discover this service they include entities such as Target port , Request and response banner to narrow down open services.