Splunk Search

Splunk Enterprise version 7.2.4 custom application remote code execution exploit using a persistent backdoor with a custom binary payload.

umeshagarwal008
Explorer

Overview On March 4, 2019, researchers at ‘Exploit DB’ have identified a vulnerability in Splunk Enterprise and successfully created an exploit too. This vulnerability, upon exploitation, can enable attacker to use custom apps command lines, modify and execute commands remotely. Not much details are available on this vulnerability yet.

Severity: Severe
Release Date: March 4, 2019
Target: Splunk Enterprise 7.2.4 on Windows Platform (Older versions might be vulnerable)
Discovered By: Exploit DB researchers
CVE ID: No CVE ID yet

Technical detail An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application. Exploitation is possible due to improper input validation.

References
https://www.exploit-db.com/exploits/46487
https://packetstormsecurity.com/files/151968/splunkent724-exec.txt
https://www.securityfocus.com/bid/107292/solution

I came across this information and wanted to check if anyone have validated the same and fould a solution.

Any kind of help will be really helpfull.

Tags (1)
0 Karma

gjanders
SplunkTrust
SplunkTrust

As per Chris's comment most Splunk versions have this feature, there is also mention of the ability to gain root access, however that can only happen if you are running Splunk as root which is not best practice.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

"Exploits" like this turn up from time to time. The exploit requires admin credentials to Splunk and it uses the app-upload feature. It is by design that uploading apps can run python and other executables which can do anything.

As a Splunk admin you should always be careful about any app you install into your environment, becuase it will gain the ability to run with the same operating system permissions that Splunk is running as. - So never run splunk as "root" user.

Here is a good blog post of recommendations for securing your Splunk instance: https://www.splunk.com/blog/2016/07/10/best-practices-in-protecting-splunk-enterprise.html

nickhills
Ultra Champion

I saw this too, and it made me laugh.
This is actually a rehashed 'exploit' from a few versions back which someone has dusted off and re-released with a new version number in the report.

As Chris says, this is no more an 'exploit' than me saying "CRITICAL WINDOWS VULNERABILITY : A user with admin credentials can create users" 🙂

The warning above is however valid, admins should protect their credentials and never blindly install apps without verifying there is nothing of malice included in it.

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...