[CVE-2020-11110] What really happened in Grafana code?


About the CVE there is an Exploit written by @
serWazito0, and Ahmed Sherif who found the finding.

So there is an Exploit so what we will do in this blog?? No, I like coding and code review so I downloaded the vulnerable version from here and start searching for the vulnerable parts of the code.

The exploit sending a payload to an endpoint called [/api/snapshots] after some search in the project files I found file [ShareSnapshotCtrl.ts] in this path [grafana-6.2.5\public\app\features\dashboard\components\ShareModal] and btw it is written in TypeScript. After reading the [ShareSnapshotCtrl] file you can notice that it control the JSON Body of the POST request which vulnerable, our scope is [originalUrl] parameter


Now we know where is the parameter, what is next? the endpoint is creating a Key and to execute the vulnerability we open the link from the response which send get request to this endpoint [dashboard/snapshot/KEY] after taking a look at the routes it takes this syntax


when is a method $routeProvider which used to configure routes, templateUrl used to link the template file which will be used with this route, the controller accepts the function which called when this route is called.

when we send the request to the endpoint with the XSS payload it will create a snapshot Key and will call the endpoint to display the snapshot information using the key, the display endpoint will call the template and will pass the parameters and one of these parameters have our XSS payload.

Maybe this blog is not very useful but I wanna share what I did and maybe I will share something useful in the future.

Follow me on

Twitter: @flex0geek

Comments

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

Lets Analysis STM32F103 Chip Firmware from Attify