CyberSecurity

Contents Disclamer Introduction ContiLeaks Zipped Locker Unzipped Locker backdoor.js Source Code Analysis: Locker Initialization Command Line Arguments Modifying the Code Searching for Files Cryptanalysis Source Code Analysis: Decryptor Cryptanalysis Performance Conclusion 1. Disclaimer I won’t be releasing/sharing exact complete source-code out of respect to the person because of whom this all was possible. The twitter user @ContiLeaks. Also because of the security risks that are associated with such piece of software.

Researchers: Mayank Malik ([email protected]) Kartik Sharma ([email protected]) Severity: Medium Version: 3.0.1 to 7.0.1 Vulnerable Endpoint: http://<grafanaHost>/avatar/* Overview Grafana is the open-source analytics & monitoring solution for every database. According to Grafana’s patch notes dated June 3rd, 2020, there was an “Incorrect Access Control” vulnerability in Grafana 3.0.1 through Grafana 7.0.1 on the /avatar feature through which an attacker/adversary was able to perform Server Side Request Forgery (SSRF) attack. We came to know about this vulnerability and created a lab for reproducing the same impact.