Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise version 7.2.4 custom application remote code execution exploit using a persistent backdoor with a custom binary payload.

umeshagarwal008
Explorer
‎03-12-2019 06:57 AM

Overview On March 4, 2019, researchers at ‘Exploit DB’ have identified a vulnerability in Splunk Enterprise and successfully created an exploit too. This vulnerability, upon exploitation, can enable attacker to use custom apps command lines, modify and execute commands remotely. Not much details are available on this vulnerability yet.

Severity: Severe
Release Date: March 4, 2019
Target: Splunk Enterprise 7.2.4 on Windows Platform (Older versions might be vulnerable)
Discovered By: Exploit DB researchers
CVE ID: No CVE ID yet

Technical detail An attacker can exploit this issue to execute arbitrary code within the context of the user running the affected application. Exploitation is possible due to improper input validation.

References
https://www.exploit-db.com/exploits/46487
https://packetstormsecurity.com/files/151968/splunkent724-exec.txt
https://www.securityfocus.com/bid/107292/solution

I came across this information and wanted to check if anyone have validated the same and fould a solution.

Any kind of help will be really helpfull.

Tags (1)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎03-12-2019 03:03 PM

As per Chris's comment most Splunk versions have this feature, there is also mention of the ability to gain root access, however that can only happen if you are running Splunk as root which is not best practice.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-12-2019 07:28 AM

"Exploits" like this turn up from time to time. The exploit requires admin credentials to Splunk and it uses the app-upload feature. It is by design that uploading apps can run python and other executables which can do anything.

As a Splunk admin you should always be careful about any app you install into your environment, becuase it will gain the ability to run with the same operating system permissions that Splunk is running as. - So never run splunk as "root" user.

Here is a good blog post of recommendations for securing your Splunk instance: https://www.splunk.com/blog/2016/07/10/best-practices-in-protecting-splunk-enterprise.html

Reply

nickhills
Ultra Champion
‎03-12-2019 07:44 AM

I saw this too, and it made me laugh.
This is actually a rehashed 'exploit' from a few versions back which someone has dusted off and re-released with a new version number in the report.

As Chris says, this is no more an 'exploit' than me saying "CRITICAL WINDOWS VULNERABILITY : A user with admin credentials can create users" 🙂

The warning above is however valid, admins should protect their credentials and never blindly install apps without verifying there is nothing of malice included in it.

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...