From open-readerct to plugin-draped takeover
Based on the POC shared by Ox Security, exploitation takes advantage of a clever combo of client-side path traverse and open-readrect mechanics at Grafana’s Statechhandler, which is the component responsible for the service of stable files such as HTML, CSS, Jawaskrippt, and the images of the user to the user.
A possible attack can be prepared to the victim, which takes them to a malicious domain. Once, users are deceived in loading an unexplained, evil graphana plugin without an editor or administrator rights.
Once the plugin is loaded, it runs the attacker-controlled residents in the victim’s browser, the potentially the session is a pioneer, credential theft, the manufacture of the administrator login and the dashboard modification.
Additionally, a server-side request enhancement is possible for complete-reading misuse. “This vulnerability does not require the permission of the editor, and if the anonymous access is capable, the XSS will work. If the graphna image render plugin is installed, it is possible to take advantage of the open redirect for a complete reading,” said Grafana Advisory. Upgrade to fixed graphs versions is recommended to fully reduce the issue against N-Day attacks.
