topic Re: Splunk Enterprise version 7.2.4 custom application remote code execution exploit using a persistent backdoor with a custom binary payload. in Splunk Search

Splunk Enterprise version 7.2.4 custom application remote code execution exploit using a persistent backdoor with a custom binary payload.

umeshagarwal008 — Tue, 12 Mar 2019 13:57:25 GMT

Overview On March 4, 2019, researchers at ‘Exploit DB’ have identified a vulnerability in Splunk Enterprise and successfully created an exploit too. This vulnerability, upon exploitation, can enable attacker to use custom apps command lines, modify and execute commands remotely. Not much details are available on this vulnerability yet.

Severity: Severe
Release Date: March 4, 2019
Target: Splunk Enterprise 7.2.4 on Windows Platform (Older versions might be vulnerable)
Discovered By: Exploit DB researchers
CVE ID: No CVE ID yet

Technical detail An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application. Exploitation is possible due to improper input validation.

References
• https://www.exploit-db.com/exploits/46487
• https://packetstormsecurity.com/files/151968/splunkent724-exec.txt
• https://www.securityfocus.com/bid/107292/solution

I came across this information and wanted to check if anyone have validated the same and fould a solution.

Any kind of help will be really helpfull.

Re: Splunk Enterprise version 7.2.4 custom application remote code execution exploit using a persistent backdoor with a custom binary payload.

chrisyounger — Tue, 12 Mar 2019 14:28:40 GMT

"Exploits" like this turn up from time to time. The exploit requires admin credentials to Splunk and it uses the app-upload feature. It is by design that uploading apps can run python and other executables which can do anything.

As a Splunk admin you should always be careful about any app you install into your environment, becuase it will gain the ability to run with the same operating system permissions that Splunk is running as. - So never run splunk as "root" user.

Here is a good blog post of recommendations for securing your Splunk instance: https://www.splunk.com/blog/2016/07/10/best-practices-in-protecting-splunk-enterprise.html

Re: Splunk Enterprise version 7.2.4 custom application remote code execution exploit using a persistent backdoor with a custom binary payload.

nickhills — Tue, 12 Mar 2019 14:44:03 GMT

I saw this too, and it made me laugh.
This is actually a rehashed 'exploit' from a few versions back which someone has dusted off and re-released with a new version number in the report.

As Chris says, this is no more an 'exploit' than me saying "CRITICAL WINDOWS VULNERABILITY : A user with admin credentials can create users" 🙂

The warning above is however valid, admins should protect their credentials and never blindly install apps without verifying there is nothing of malice included in it.

Re: Splunk Enterprise version 7.2.4 custom application remote code execution exploit using a persistent backdoor with a custom binary payload.

gjanders — Tue, 12 Mar 2019 22:03:40 GMT

As per Chris's comment most Splunk versions have this feature, there is also mention of the ability to gain root access, however that can only happen if you are running Splunk as root which is not best practice.