How to Identify and Exploit CVE-2021-43798 - Grafana Unauthenticated Directory Traversal

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on youtube today i want to talk about the recent cve on grafana i think is cv 2021 43798 uh this cv is around a path traversal discovered on grafana that allows you to pretty much read any file on the box without being authenticated into the application itself so for this video i'm going to talk about why it's important to look for it how to look for it and how the vulnerability is exploited this cv as i mentioned doesn't require to be authenticated it could be affecting a ton of different organizations and of course if you're hacking on programs that are allowing you to hack on the entire scope that means every supplement every organization acquisition the website they own then this vulnerability could get you paid a lot but before we talk about the money aspect before we talk about the poc before we look at it i want to make a note and say this is a zero day so that means that a lot of companies haven't fixed it and there is a chance that they may decline the bounty payment for this vulnerability because of the fact that it's a zero day and that they haven't had a time to fix it so keep that in mind just because you have an oday and you have the poc for it doesn't mean that the companies are going to pay you for it most companies may pay for this vulnerability but again some companies may come back and say hey we have a 30 day 60 day or 90 day window when we don't pay for vulnerabilities like this one and acknowledged by the company itself so i just want to get that out of the way before we jump in so like i mentioned earlier this is a path traversal if you're not familiar with patch reversals this vulnerability allows you to pretty much get out of the web route where the actual website is being hosted and you can actually read every file not every file almost every file that's hosted on the server the reason why i say not every file it's because this all depends on what user you're running this grafana instance on what access it has what files have access to and that sort of stuff but at the end of the day it allows you to read files and in some cases you may be able to actually pull the configuration file that made the username passwords and maybe you can do some more stuff with it but before we jump into the past traversal part i want to take a look at grafana itself can i take a look at and see what does grafana look like how do we identify when we're in mass scanning for subdomains against an infrastructure and also how to actually hunt for this vulnerability in a mass so again we're going to look for a notification we're going to look at the poc and then we're going to spray an entire network or a list of supplements and domains to see if any of them are vulnerable but before everybody comments down below and says hey that's illegal you can't do this keep in mind that everything that i've created it's a lab of my own so i've actually installed graffana on my own i have my own instance so everything you see is in a lab environment that i have created you can also do the same all you have to do is go look up how to install grafana you can install that particular version and play around with it and actually export this thing all right let's jump into the identification part so at first glance this is what girlfriend looks like when you open up the web page most of the times you could expect it to be hosted on port 3000 but that's always not the case so once you load it this is what it looks like a few things to note is it's redirecting us to login you can see the title says grafana there is a save icon there's also text that says the version for it right here so we can see whether or not it's vulnerable and of course if we look at the source there are a couple of other key things that we can look at that kind of explain this is uh grafana and i'm going to show you what that all means in just a bit but at first glance you want to kind of know okay if i query this website and let's do this on the screen so there's different ways you can identify it and i want to walk you through the manual process before we walk into showdown google dorking and that sort of stuff so first of all if you make a request to just a web route itself it's going to come back and say hey there's a location being sent to login this is really not a fingerprint for grafana tons of different applications could do this but if it's hosted on port 3000 it redirects to login there's a big chance that this could be a grafana instance so the port 3000 is a big one but also the location header right here could also indicate that potentially there's a grafana instance here now let's send a request to log in and say we actually follow the redirect and if we look at the source of this obviously the grafana title is a big one i mentioned that earlier and then also if you're using stuff like meg where you get to save the entire http request it could be meg it could be httpx any of those tools that save the output of the request you can actually also fingerprint and grip for this file right here to make sure in the response of the request you meant to this web browser this file existed and if obviously it exists then you will know that this is a graphona instance i want to talk about these because i understand there are templates for nuclei there is shown in there's all these different tools you can use but it doesn't hurt to know what makes this unique what are some ways to identify this thing on your own before you start using those tools again tools are great but it's better when you know how to use them first so now we're going to jump into showdown so one of the easiest ways to do this it's obviously showed in what you're going to do is you can look for the title that says grafana that's going to be a very easy one you can just see all these different ones that are hosted on there again please don't test these out without consent or without a bug boundary program or a one disclosure program we can also go as far as identifying a host name so for example if you are looking for verizon media itself you can type in yahoo.com if there's a grafana it would come up so again you can do hostname like this and put grafana in there as well and it will come up you can also fingerprint based on the fav icon so if you click on this it gives you the hash and you can do something like org is yahoo for example and if that hash exists it will bring it back um obviously amazon is a big one but again this is amazon as a service provider not amazon as a company so these could be their customers but i just kind of wanted to show that you can do that based on your organization itself so again maybe you can do red bull in here if red bull had one that will come up and so on another thing you can do is if you have been doing blog bonus for two years and you already have historic data let's say you have collected all this data on all these different organizations and you've saved them every domain every supplement you've ever found it's saved somewhere on your box what you can do is you can do a couple of things one is i would poor scan board scan for port 3000 see which ones are open even if it doesn't mention grafana in the submarine the second thing i would do which makes sense what i just said actually gripping for the keyword grafana so every supplement that has a keyword grafana in it or maybe dashboard in it uh analytics stuff like that and see what comes up looking at it and based on the fingerprints that we wrote seeing whether or not grafana is hosted on there so now that we all know all this i'm going to create a list of different random subdomains and put one grafana instance in there and we're going to use one of the tools that i have i think i'm going to use httpx for this example and see how i can identify that one instance in a list of 20 random sub numbers so let's look at it really quick so i have a bunch of different domains in this and i understand these are all fake but i'm purposely doing a bunch of different random domains obviously the outcome doesn't matter we're just going to use this example list to identify this one that we know is grafana but we're going to assume that we don't know which one of these is hosting grafana so we're going to open it up we're going to read it and we're going to feed this to httpx and we're going to use the srd option this will tell it to save the outputs of this http request into a folder so we're going to call httpx so that means when you make a request i want you to also save the output of that request into this folder and we're just going to just run it as it is so right now we have done all of these it's made a request to all of them and if we make a list we'll see that https has some stuff in it we're going to go in here and there's nothing in there that's fantastic all right so what we're going to do is we're going to take a look at some of these hosts that i've put together so in this case you can see i have a ton of domains again i understand that some of these don't make sense for this example but the point is to kind of show you how you can identify a particular thing in a list of domains and subdomains and that thing we're looking for right now obviously is grafana so we're going to do is we're going to read our file and we're going to filter httpx and we are going to tell https we're going to tell httpx to scan for ports 443 and 3000 and we're going to use the flag sr that means to save the response for each request and we're also going to use this flag the dash fhr which is follow host redirects just in case we hit the login it's going to be direct to the login we want to make sure we follow it so we're going to send this request really quickly and what this will do let's see what did i do wrong it looks like i use the wrong flag so we're going to do this one instead and let's see where this goes hopefully this one works and we can see the outcome of all these requests especially those that have followed their hosts directs as well so let's give it a sec let's look at the outputs folder and we're gonna specifically look at the one that we know is vulnerable i just want to make sure it worked and as you can see this is what it looks like again i know that i'm cheating and showing you that this is here but let's just say that there are thousands of files and now we want to identify all the ones that have grafana in him so as you remember earlier when i said if we do a curl to this so this is our instance if we make a curl request to it this is what the request is going to send back and one of the things that we were looking at was this specific file so what we're going to do is we're going to say hey i want to read all the files in this folder and grip for this and again you can just do grep the string that you're looking for and all the files in there but since i'm explaining things i'm going to break down the commands one by one so you cat all the files in there grep for the specific one and this comes back and of course we can also use the let me see our flag i should say the file's name right here as you can see it says this file has this exact string in it and this will tell us that this file right here is the one that contains the host so it says this is the host name for it and it has the graphonic fingerprint that we've given it and it indicates that there is a graffana instance in here that we could take a step further and actually exploit this with the vulnerability all right we've done all this i know it took us so well to get here but now let's look at the vulnerability itself and we're going to bring this whole thing back together and wrap it up into the whole package on how you can actually exploit all these so the one that i believe tells us the path traversal requires you to go to the plugins folder give it a plugin that exists based on what i understand and then you're going to traverse out of that folder and read whatever file you want so lucky for us i have a grafana instance ready all right so what we're going to do over here is we're going to go to the plugin section and we're going to look at the list of all these plugins again all these plugins that you can see on the screen were installed by default as soon as you spin up a new grafana instance and you can get the path for it by clicking on each one so this one is plugin alert list this one is analyst and so on so everything everything you click on has its own name and you want to make sure you make a note of every single one of these just in case uh the first one is disabled for example if a company has disabled alert list but has annotations list you want to make sure you have that in your tool build so you can actually test against every single one of these and find one that the company has not disabled and exploit it for this vulnerability so what i'm going to do is i'm going to go back here before this video i actually created all these let's go back again one more folder i've created all of these ones i think i found this on a github repo i'll make sure to link it down below in the description if you want to look at it but these are the different paths that i found again you can make a list of them based on going into grafana itself pulling up a repository on github that has graffana install whatever that is you can get your hands on that gives you the link to it you want to add public in that plugins name right here and then the exploit that you want to use is we want to read the etc password file and see where this goes okay so now that we know how the vulnerability works we have the paths that we need let's go ahead and look at this vulnerability on the instance i've created so what i'm going to do is i'm going to turn on my proxy on burp i'm going to refresh this page and we're gonna send this to repeater and send this to repeater now we're gonna go to our other folder right here i'm gonna look at these pads i'm gonna just try one of them and see if it works if it does work then we know this is a vulnerable instance so let's copy paste this here i'm gonna send this request let's fix our request completely and we're gonna send this and as expected this has came back and uh given us the contents of the etc password again if you're not sure whether or not this exists let's say hypothetically this comes back and says hey this doesn't exist so i'm just gonna give it a invalid name it's gonna come back and say plug and not found what we can do is we can go here and send this to intruder i'm gonna go to intruder and we are going to paste all of our payloads [Music] and we're going to go to our position so let's say you already have identified grafana you're not mass gaining everything for it it's just one instance you have found you want to exploit it we're going to just do that here and add this so what we're doing here is we're saying hey all the stuff that i have in my payloads i want you to put it right here instead of this web root and scan for it so we're going to start our attack and as you can see there are some errors not sure why looks like we actually need to disable any options disable our encoding so right here you go to payloads you want to make sure you have this disabled i'm going to try this one more time go to intruder and start attack and now we can see there are some that are coming 404 so let's just sort them out there's two that are coming 404 i don't have alert groups and canvas playing apparently which wasn't the list that i found online which i'll link it again down below in the description but the other ones that are vulnerable you can see it came back with the 200 and every single one of them are displaying the file that i wanted to look for cool now we know how the exploit works we know what grafana looks like okay now we know how the exploit works how to look for it how to identify grafana and now we're going to bring this whole thing together using meg again you can use other tools like nuclei they're great but because of the fact that i have created this automation thing for myself where there's a bunch of different things i rely on make for this to work so again you don't have to do meg but i'm going to show you how i use meg to identify a vulnerable instance so what we're going to do is we're going to tell meg hey i have a list of potential hosts that are graffana so this is after you have identified all your grafana instances you're going to tell meg hey this is the the paths that we have and i want you to run every single one of those against the host file and again these could be potentially all the different grafana instances that you have collected identified using the steps that i've shown earlier and now we're going to scan for it so now that it's done we're going to take a look at the output folder for meg this is what it looks like if you actually look at the out index file it will show you the request for each one and the results for it so again this is coming back and saying hey this was 200 404 400 and so on so what we can do with this information is we can actually look for ones that come back with 200 okay oops one more time and these are all the files and you can cut it up and take this portion of it so we can do something like cut d f1 which gives us the folder where it's saved [Music] and then we can feed it to x-args and have it read every single one and grip for the contents of etc password file luckily i have created this command right here i'm going to show you really quickly this does the exact thing that i described what it does is you give it a status code so in this case i'm looking for status code 200 and whatever fingerprint you're looking for so again you can also use this for fingerprinting things using meg but in this case i want to look for the keyword root because i'm expecting root to be in the atc password file and that's going to give us the output of all these different requests that it's made and obviously it's saying hey this is the one of the folders or one of the hosts that's vulnerable out of all these different uh ones that we've scanned so again i know that this is not a whole lot it's an example but if you actually open one of these you can see that the etc password file is also in there so now that we have talked about how to use meg what we can do is nope that's it and that's it right so this is what i would do if i was looking for this one opportunity one remember you can't expect to get paid this is still concerning oh day a lot of organizations may not be ready to pay for it while some others may actually accept and pay for it two what i will do is go through a list of all the subdomains i have and find the ones that are grafana using what i just showed fingerprint for it use httpx dump all of the outputs of the http request into a folder grip for it make a list of potential grafana instances and then feed it to meg and have it scan for those particular endpoints and see which ones come back as vulnerable and then reported maybe you'll be a dupe maybe it'll be a valid finding or maybe the company is going to come back and say hey we're currently not accepting this phone type and we're not going to pay for it all right if you like this video do me a favor drop a like hit that subscribe button but also leave me a comment let me know if you learned something new if you want me to make more videos like this if you learn a new technique whatever it is let me know if you liked it i want to know what kind of videos to make for you guys but until the next video thanks for watching and i'll see you on in the next video peace [Music] is that mike right here oh the mic is in the camera this whole time just a tiny bit i can crop it out but it's going to be cropped out to here bro look the mic is right here come down a little bit now drop me a like and subscribe tell me what you think are you are you for real right now is this a joke [Music]

Info

Channel: Nahamsec

Views: 2,319

Rating: undefined out of 5

Keywords: bug bounty, recon, hacking, ctf, oscp, STOKfredrik, thecybermentor, defcon, tryhackme, metasploit, zseano, bug bounty methedolgy, bug bounty hunting, pentest, red team, nahamsec, nahamcon, bug hunter, hacker, hackerone, bugcrowd, synack, owasp, owasp top 10, ethical hacking, live recon, nahomie, nahomies

Id: EeTTfjNFJUU

Channel Id: undefined

Length: 19min 7sec (1147 seconds)

Published: Mon Dec 13 2021