exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Splunk 4.3.3 Arbitrary File Disclosure

Splunk 4.3.3 Arbitrary File Disclosure
Posted Sep 4, 2012
Authored by Marcio Almeida

Splunk versions 4.3.3 and below suffer from a remote file content disclosure vulnerability.

tags | exploit, remote, info disclosure
SHA-256 | 737362e29764e6020d443a9b8f693009443a75bfc883660904f7cc7717a2b66d

Splunk 4.3.3 Arbitrary File Disclosure

Change Mirror Download
=================================================================

- Release date: September 3rd, 2012
- Discovered by: Marcio Almeida of CIPHER Intelligence Labs
- Severity: Medium
- CVSS Base Score: 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C)

=================================================================

I. VULNERABILITY
-------------------------

Splunk <= 4.3.3 Reading Arbitrary Files Contents

II. BACKGROUND
-------------------------

Splunk[1][2][3] is a software to search, monitor and analyze
machine-generated data by applications, systems and IT infrastructure
at scale via a web-style interface.[4] Splunk captures, indexes and
correlates real-time data in a searchable repository from which it can
generate graphs, reports, alerts, dashboards and visualizations.[5][6]

Splunk aims to make machine data accessible across an organization and
identifies data patterns[7], provides metrics, diagnoses problems and
provides intelligence for business operation. Splunk is a horizontal
technology used for application management, security and compliance,
as well as business and web analytics.[8] Splunk has over 3,700
licensed customers in 74 countries, including almost half of the
Fortune 100.[9]

III. INTRODUCTION
-------------------------

Splunk 4.3.3 and prior versions has "Data Preview" functionality located at:

"Manager >> Data Inputs >> Files & Directories >> Data Preview"
which allows an authenticated user to read the content of arbitrary
files on the server it is running.

IV. PROOF OF CONCEPT
-------------------------

1 - Go to the screen of functionality located at "Manager >> Data
Inputs >> Files & Directories >> Data Preview".
2 - Insert the path to file into "Path to file on server" field.
3 - Click on “Continue”.
4 - See the content of file.

The following screenshots illustrate reading the contents of /etc/shadow:

Step 1: http://imageshack.us/f/837/etcshadowserversplunk0d.png/

Step 2: http://imageshack.us/f/835/etcshadowserversplunk0d.png/

V. BUSINESS IMPACT
-------------------------

An authenticated attacker with admin privileges on splunk could
exploit the vulnerability to retrieve the contents of any sensitive
files in the server accessible by the operating system user the splunk
service is running as. If splunkd is running as root user, the
attacker can read the content of any file in the server, including
/etc/shadow and other sensitive configuration files. Thus, being an
admin in the splunk UI allows an attacker to obtain information that
may lead to escalation of privileges on the operating system where
splunk is installed.

The vendor was notified of this behavior, and declared not to consider
it either a defect or a vulnerability.

VI. SYSTEMS AFFECTED
-------------------------

Version 4.3.3 and prior versions are vulnerable.

VII. SOLUTION
-------------------------

N/A.

VIII. DISCLOSURE TIMELINE
-------------------------

7/27/12 - Vulnerability discovered.

8/3/12 - Vendor Contacted.

8/3/12 - Vendor Response "we don't consider this behaviour a design
defect or vulnerability".

8/3/12 - Vendor informed about full disclosure in some days.

9/3/12 - Full disclosure


IX. REFERENCES
-------------------------

[1] http://management.silicon.com/itpro/0,39024675,39157789,00.htm
[2] Security Power Tools. O'Reilly Media, Inc.. ISBN 0-596-00963-1.
[3] Nagios 3 Enterprise Network Monitoring: Including Plug-Ins and
Hardware Devices. Syngress. ISBN 1-59749-267-1.
[4] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/
[5] http://online.wsj.com/article/SB125237153923891221.html Start-Ups
Aim to Help Tame Corporate Data, Pui-Wing Tam, Wall Street Journal,
September 08, 2009 [6]
http://www.citoresearch.com/content/business-intelligence-and-data-center
[7] Central, CIO. Forbes.
http://blogs.forbes.com/ciocentral/2010/12/15/how-cios-should-be-helping-marketers/.
[8] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/
[9] http://venturebeat.com/2011/02/08/splunk-seattle-office-opens/


X. CREDITS
-------------------------

The vulnerability has been discovered by Marcio Almeida
(marcio.macedo@ciphersec.com.br) of CIPHER Intelligence Labs
(www.ciphersec.net).

XI. GREETINGS
-------------------------
To Rodrigo Salvalagio rsalvalagio@gmail.com for support during this process.


XI. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. I
accept no responsibility for any damage caused by the use or misuse of
this information.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close