[CVE-2020-13379] Unauthenticated DoS on Grafana 3.0.1 - 7.0.1

Went looking for Copper, found Gold 😆

Researchers:

Mayank Malik ( mostwanted002@protonmail.com)

Kartik Sharma ( 98kartik.sharma@gmail.com)

Severity: Medium

Version: 3.0.1 to 7.0.1

Vulnerable Endpoint: http://<grafanaHost>/avatar/*

Overview

Grafana is the open-source analytics & monitoring solution for every database. According to Grafana’s patch notes dated June 3rd, 2020, there was an “Incorrect Access Control” vulnerability in Grafana 3.0.1 through Grafana 7.0.1 on the /avatar feature through which an attacker/adversary was able to perform Server Side Request Forgery (SSRF) attack.

We came to know about this vulnerability and created a lab for reproducing the same impact.

Environment for testing:

Docker Image grafana/grafana:5.3.2

Testing

  1. During our testing, a certain kind of payload that looked similar to an SSTI payload when appended to the endpoint resulted in a SegFault in Grafana’s backend, crashing the primary application permanently.

  2. Working PoC

  3. The payload used in above PoC is URL encoded string {{printf "%s" "this.Url"}}, appended to /avatar/.

  4. The complete malicious URL looks like

http://grafanaserver/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
  1. A GET HTTP request to the above URL will crash the backend application with the SEGFAULT, shutting down the Grafana application completely. The attacker doesn’t require any authentication to perform the attack.

Request:

request.png

Response:

response.png

Backend:

backend.png

Conclusion

Impact:

This vulnerability results in complete crashing of the grafana-server application resulting a Denial of Service (DoS) attack scenario.

Avatar
Mayank Malik
ISC2 CC | Threat and Malware Analyst | Incident Response | Security Researcher

I am a tech-savvy person, Threat & Malware Analyst, and like to wander around to learn new stuff. Malware Analysis, Cryptography, Networking, and System Administration are some of my forte. I’m also a geek for computer hardware and everything around it. One of the Founding Members of CTF Team, Abs0lut3Pwn4g3. Team member at HashMob.net. Apart from the mentioned skills, I’m good at communication skills and am a goal-driven person. Yellow belt holder at pwn.college in pursuit of learning and achieving Blue Belt.