• Latest
  • Trending
Detecting a New Grafana Exploit in Go

Detecting a New Grafana Exploit in Go

December 13, 2021
Qualcomm Announces Snapdragon 8+ Gen 1 and Snapdragon 7 Gen 1

Qualcomm Announces Snapdragon 8+ Gen 1 and Snapdragon 7 Gen 1

May 20, 2022
HP’s premium laptop revamp: more OLED displays, 12th-gen Intel CPUs

HP’s premium laptop revamp: more OLED displays, 12th-gen Intel CPUs

May 20, 2022
Android 13 beta will test out-of-the-box support for most braille displays

Android 13 beta will test out-of-the-box support for most braille displays

May 20, 2022
WhatsApp to Launch Cloud-Based Tools, Premium Features for Businesses

WhatsApp to Launch Cloud-Based Tools, Premium Features for Businesses

May 20, 2022
Huawei and SolarEdge Sign a Global Patent License Agreement

Huawei and SolarEdge Sign a Global Patent License Agreement

May 20, 2022
Dijbouti Telecom Welcomes the Landing of 2Africa Submarine Cable

Dijbouti Telecom Welcomes the Landing of 2Africa Submarine Cable

May 20, 2022
Ghana Smart Africa Digital Academy launches its national digital academy

Ghana Smart Africa Digital Academy launches its national digital academy

May 20, 2022
Ghana’s Rural Telecom Facilities to be Upgraded to 4G

Ghana’s Rural Telecom Facilities to be Upgraded to 4G

May 20, 2022
Silicon Power Announces UD90 PCIe 4.0 SSD

Silicon Power Announces UD90 PCIe 4.0 SSD

May 20, 2022
ZADAK Announces TWSG4S PCIe Gen4 x4 SSD

ZADAK Announces TWSG4S PCIe Gen4 x4 SSD

May 20, 2022
Samsung Sampling 512GB CXL Memory Module

Samsung Sampling 512GB CXL Memory Module

May 20, 2022
IBM Elastic Storage System 3500

IBM Elastic Storage System 3500

May 20, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Sunday, 22 May, 2022
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Detecting a New Grafana Exploit in Go

by ITECHNEWS
December 13, 2021
in Opinion
0 0
0
Detecting a New Grafana Exploit in Go

The Grafana team acted quickly and responsibly to patch this vulnerability and issue upgrade guidance to their users. In this write-up, we are working to explain how automated tools can detect this same type of vulnerability in custom applications. We would like to compliment the Grafana team on their handling of this issue.

What is Grafana

Grafana is an operational dashboard for rendering large amounts of data quickly, to show the real time and historical information. It is commonly used in system monitoring and Site Reliability Engineering for its ability to show data and allow deeper drill-downs at any level needed by the team. Grafana is a well-known member of the Cloud Native Computing Foundation.

YOU MAY ALSO LIKE

How to Think about Threat Detection in the Cloud

The Current Status and the Future of the .Net Framework

How The Vulnerability Works

The vulnerability impacts Grafana by untrusted data making its way to the File APIs.

1.  Data enters Grafana through the URL, controlled by a remote user. The exploit starts in pkg/macaron/macaron.go, a middleware component for 
     request handling. The macaron middleware represents the source where data enters the application from a remote user. It gets here via an API 
     endpoint meant to load an asset (image, JS, etc.) for one of Grafana’s many plugins.
     macaron.go

          // ServeHTTP is the HTTP Entry point for a Macaron instance.
          // Useful if you want to control your own HTTP server.
          // Be aware that none of middleware will run without registering any router.
          func (m *Macaron) ServeHTTP(rw http.ResponseWriter, req *http.Request) {       
                  req.URL.Path = strings.TrimPrefix(req.URL.Path, m.urlPrefix)
                  m.Router.ServeHTTP(rw, req)
          }                

2. Grafana looks at the URL (req.URL.Path) to determine which plugin contains the asset as well as which asset is being asked for. The untrusted         remote data is trimmed, concatenated, and reassigned to other values.
    a. Plugins are common in Grafana because they enable it to understand complex data.

3. Later on, this untrusted data reaches the filesystem.Open method, giving the remote user the ability to control which file is accessed.

func (hs *HTTPServer) getPluginAssets(c *models.ReqContext) {

   pluginID := web.Params(c.Req)[“:pluginId”]   plugin, exists := hs.pluginStore.Plugin(c.Req.Context(), pluginID)
   if !exists {
       c.JsonApiErr(404, “Plugin not found”, nil)
       return
   }

   requestedFile := filepath.Clean(web.Params(c.Req)[“*”])
   pluginFilePath := filepath.Join(plugin.PluginDir, requestedFile)

   if !plugin.IncludedInSignature(requestedFile) {
   hs.log.Warn(“Access to requested plugin file will be forbidden in upcoming Grafana versions as the file “+
   “is not included in the plugin signature”, “file”, requestedFile)
   }

   // It’s safe to ignore gosec warning G304 since we already clean the requested file path and subsequently
   // use this with a prefix of the plugin’s directory, which is set during plugin loading
   // nolint:gosec
   f, err := os.Open(pluginFilePath)

//…

An automatically generated diagram of the application’s data flow shows this vulnerability. This diagram was generated when the Contrast Go agent was placed in the application, detected, and reported the vulnerability.

One interesting point is that the vulnerability goes through filepath.Clean. This method does not sanitize data for security, rather it simplifies/shortens it to remove things like extra slashes, resolve the parent (../) references, and so on.

How Contrast Shows the Vulnerability

The vulnerability appears as a Path Traversal flaw, showing a full stack trace for how it traced through the code.

Path Traversal from

 

What the Agent Sees under the hood

The agent works inside the Go application, using insight similar to what an Application Performance Monitoring (APM) or Debugger would see. A rendered version of this understanding as a DOT file. This shows the vulnerable code flow without needing the vulnerability to be exploited. This type of integrated testing can help developers locate similar issues in their own applications without dedicated security expertise.

Agent Sees Under the Hood

Finding Your Own Custom Flaws

The Grafana vulnerability shown here is a complete CVE, with a proof of concept exploit available in the wild. Many organizations that develop custom software do not have the ability to go through the entire CVE process before a patch and must find their own vulnerabilities.

Organizations can find similar OWASP-type vulnerabilities in their own custom code by using the Contrast agent in their Go test environment.

ShareTweetShare

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Qualcomm Announces Snapdragon 8+ Gen 1 and Snapdragon 7 Gen 1

Qualcomm Announces Snapdragon 8+ Gen 1 and Snapdragon 7 Gen 1

May 20, 2022
HP’s premium laptop revamp: more OLED displays, 12th-gen Intel CPUs

HP’s premium laptop revamp: more OLED displays, 12th-gen Intel CPUs

May 20, 2022
Android 13 beta will test out-of-the-box support for most braille displays

Android 13 beta will test out-of-the-box support for most braille displays

May 20, 2022

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Qualcomm Announces Snapdragon 8+ Gen 1 and Snapdragon 7 Gen 1

Qualcomm Announces Snapdragon 8+ Gen 1 and Snapdragon 7 Gen 1

May 20, 2022
HP’s premium laptop revamp: more OLED displays, 12th-gen Intel CPUs

HP’s premium laptop revamp: more OLED displays, 12th-gen Intel CPUs

May 20, 2022

Recent News

  • Qualcomm Announces Snapdragon 8+ Gen 1 and Snapdragon 7 Gen 1 May 20, 2022
  • HP’s premium laptop revamp: more OLED displays, 12th-gen Intel CPUs May 20, 2022
  • Android 13 beta will test out-of-the-box support for most braille displays May 20, 2022
  • WhatsApp to Launch Cloud-Based Tools, Premium Features for Businesses May 20, 2022
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version