[CVE-2020-13379] Unauthenticated DoS on Grafana 3.0.1 - 7.0.1
Went looking for Copper, found Gold 😆
Researchers:
Mayank Malik ( mostwanted002@protonmail.com)
Kartik Sharma ( 98kartik.sharma@gmail.com)
Severity: Medium
Version: 3.0.1 to 7.0.1
Vulnerable Endpoint: http://<grafanaHost>/avatar/*
Overview
Grafana is the open-source analytics & monitoring solution for every database. According to Grafana’s
patch notes dated June 3rd, 2020, there was an “Incorrect Access Control” vulnerability in Grafana 3.0.1 through Grafana 7.0.1 on the /avatar
feature through which an attacker/adversary was able to perform
Server Side Request Forgery (SSRF) attack.
We came to know about this vulnerability and created a lab for reproducing the same impact.
Environment for testing:
Docker Image grafana/grafana:5.3.2
Testing
-
During our testing, a certain kind of payload that looked similar to an SSTI payload when appended to the endpoint resulted in a SegFault in Grafana’s backend, crashing the primary application permanently.
-
The payload used in above PoC is URL encoded string
{{printf "%s" "this.Url"}}
, appended to/avatar/
. -
The complete malicious URL looks like
http://grafanaserver/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D
- A GET HTTP request to the above URL will crash the backend application with the SEGFAULT, shutting down the Grafana application completely. The attacker doesn’t require any authentication to perform the attack.
Request:
Response:
Backend:
Conclusion
Impact:
This vulnerability results in complete crashing of the grafana-server application resulting a Denial of Service (DoS) attack scenario.