Hey Team!
I have reported the following vulnerability (along with details on how it can be further escalated) directly to Grafana. While Grafana and I are currently coordinating a more comprehensive fix, they've recommended that I also report this issue in parallel to the plugin repository.
The following describes how a user in one organization will be able to escalate his privileges to become a complete system admin, get control over all of the Grafana organizations by leveraging the grafana SQLite plugin.
Step 1 - Set up initial env
- Go to "Connections" -> "Add new connection" and search for "SQLite" data source and install it.
- Go to "Administration" -> "General" -> "Organizations" and add a new organization called "FirstOrg"
- Go to "Administration" -> "Users and access" -> "Users" and create a user called 'first-user'.
- Make sure the "Grafana Admin" is set to "No"
- Add that user to the "FirstOrg" as "Admin" and remove it from the current organization.
- Log in with that user
Now, the 'first-user' is accessible only to the resources in the "FirstOrg" and is inaccessible to the "Main Org" (the default one) and has no access to any other organizations that exist in this Grafana.
Step 2
- Go to "Connections" -> "Add new connection" and search for "SQLite" data source and click on "Add new data source"
- In the path section, put the Grafana DB itself path:
/var/lib/grafana/grafana.db
- Go to explore -> switch to the
frser-sqlite-datasource source and change the query to select * from user. We can see that we are able to query the Grafana DB itself.
Step 3 - become an admin
- We can elevate our privileges to be a "Grafana Admin" by updating the user table by executing the following query:
UPDATE user SET is_admin=true where login='firstuser'
Now, by executing the following query, we will be able to validate that our user has been updated with Grafana admin privileges. Also, we are able to list all organizations and add ourselves as an admin to all existing organizations in this Grafana instance.
Impact
- An attacker with access to a single organization can elevate their privileges to become a Grafana Admin and take over all existing organizations in the Grafana instance.
- Also, by accessing the Grafana DB from a separate organization, the attacker can tamper with any data in Grafana, add/remove users, access tokens, sso settings, and take over the entire Grafana instance.
Recommended solution
- Do not allow the plugin to interact with Grafana's own DB.
elad-pticha Reporter
Hey Team!
I have reported the following vulnerability (along with details on how it can be further escalated) directly to Grafana. While Grafana and I are currently coordinating a more comprehensive fix, they've recommended that I also report this issue in parallel to the plugin repository.
The following describes how a user in one organization will be able to escalate his privileges to become a complete system admin, get control over all of the Grafana organizations by leveraging the grafana SQLite plugin.
Step 1 - Set up initial env
Now, the 'first-user' is accessible only to the resources in the "FirstOrg" and is inaccessible to the "Main Org" (the default one) and has no access to any other organizations that exist in this Grafana.
Step 2
/var/lib/grafana/grafana.dbfrser-sqlite-datasourcesource and change the query toselect * from user. We can see that we are able to query the Grafana DB itself.Step 3 - become an admin
Now, by executing the following query, we will be able to validate that our user has been updated with Grafana admin privileges. Also, we are able to list all organizations and add ourselves as an admin to all existing organizations in this Grafana instance.
Impact
Recommended solution