[CVE-2020-13379] Unauthenticated DoS on Grafana 3.0.1 - 7.0.1

Went looking for Copper, found Gold 😆

Researchers:

Mayank Malik ([email protected])

Kartik Sharma ([email protected])

Severity: Medium

Version: 3.0.1 to 7.0.1

Vulnerable Endpoint: http://<grafanaHost>/avatar/*

Overview

Grafana is the open-source analytics & monitoring solution for every database. According to Grafana’s patch notes dated June 3rd, 2020, there was an “Incorrect Access Control” vulnerability in Grafana 3.0.1 through Grafana 7.0.1 on the /avatar feature through which an attacker/adversary was able to perform Server Side Request Forgery (SSRF) attack.

We came to know about this vulnerability and created a lab for reproducing the same impact.

Environment for testing:

Docker Image grafana/grafana:5.3.2

Testing

  1. During our testing, a certain kind of payload that looked similar to an SSTI payload when appended to the endpoint resulted in a SegFault in Grafana’s backend, crashing the primary application permanently.

  2. Working PoC

  3. The payload used in above PoC is URL encoded string {{printf "%s" "this.Url"}}, appended to /avatar/.

  4. The complete malicious URL looks like

http://grafanaserver/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
  1. A GET HTTP request to the above URL will crash the backend application with the SEGFAULT, shutting down the Grafana application completely. The attacker doesn’t require any authentication to perform the attack.

Request:

request.png

Response:

response.png

Backend:

backend.png

Conclusion

Impact:

This vulnerability results in complete crashing of the grafana-server application resulting a Denial of Service (DoS) attack scenario.

Avatar
Mayank Malik
CRTP | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person.