CVE-2018-15727 PoC — Grafana 安全漏洞

Source

https://github.com/grimbelhax/CVE-2018-15727

Associated Vulnerability

Title:Grafana 安全漏洞 (CVE-2018-15727)
Description:Grafana是一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana中存在安全漏洞，该漏洞源于攻击者可仅利用LDAP或Oauth用户名即可生成有效的‘remember me’ cookie。攻击者可利用该漏洞绕过身份验证。以下版本受到影响：Grafana 2.x版本，3.x版本，4.6.4之前的4.x版本，5.2.3之前的5.x版本。

Description

MSF Module CVE-2018-15727

Readme

# CVE-2018-15727

Here I wrote a MSF Module for [CVE-2018-15727](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727) which is an auth bypass for Grafana with LDAP/OAuth authentification enabled. It's already integrated in the [metasploit-framework](https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/grafana_auth_bypass.py). This module generates a remember me cookie for a valid username. Through unpropper seeding while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. This cookie can be used for bypass authentication for everyone knowing a valid username.

## Vulnerbale Versions

- 2.x
- 3.x
- 4.x befroe 4.6.4
- 5.x before 5.2.3

## References

- [@Sebastian Solnica](https://twitter.com/lowleveldesign?lang=en): Original discoverd.
- [Mitre](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15727)
- [Grafana fix](https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/)

File Snapshot


 [4.0K]  /data/pocs/a031c4754b20cd40cff81c86ad779e34e3344227
├── [2.0K]  grafana_auth_bypass.md
├── [7.1K]  grafana_auth_bypass.py
└── [1020]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!