148 lines
No EOL
4.9 KiB
Text
148 lines
No EOL
4.9 KiB
Text
# Exploit Title: Splunk <= 4.3.3 Reading Arbitrary Files Contents
|
||
# Date: 09/03/2012
|
||
# Exploit Author: Marcio Almeida (marcio.macedo@ciphersec.com.br)
|
||
# Vendor Homepage: http://www.splunk.com/
|
||
# Software Link: http://www.splunk.com/download?r=header
|
||
# Version: 4.3.3 and priors
|
||
# Tested on: Linux
|
||
|
||
=================================================================
|
||
|
||
- Release date: September 3rd, 2012
|
||
- Discovered by: Marcio Almeida of CIPHER Intelligence Labs
|
||
- Severity: Medium
|
||
- CVSS Base Score: 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C)
|
||
|
||
=================================================================
|
||
|
||
I. VULNERABILITY
|
||
-------------------------
|
||
|
||
Splunk <= 4.3.3 Reading Arbitrary Files Contents
|
||
|
||
II. BACKGROUND
|
||
-------------------------
|
||
|
||
Splunk[1][2][3] is a software to search, monitor and analyze
|
||
machine-generated data by applications, systems and IT infrastructure
|
||
at scale via a web-style interface.[4] Splunk captures, indexes and
|
||
correlates real-time data in a searchable repository from which it can
|
||
generate graphs, reports, alerts, dashboards and visualizations.[5][6]
|
||
|
||
Splunk aims to make machine data accessible across an organization and
|
||
identifies data patterns[7], provides metrics, diagnoses problems and
|
||
provides intelligence for business operation. Splunk is a horizontal
|
||
technology used for application management, security and compliance,
|
||
as well as business and web analytics.[8] Splunk has over 3,700
|
||
licensed customers in 74 countries, including almost half of the
|
||
Fortune 100.[9]
|
||
|
||
III. INTRODUCTION
|
||
-------------------------
|
||
|
||
Splunk 4.3.3 and prior versions has "Data Preview" functionality located at:
|
||
|
||
"Manager >> Data Inputs >> Files & Directories >> Data Preview"
|
||
which allows an authenticated user to read the content of arbitrary
|
||
files on the server it is running.
|
||
|
||
IV. PROOF OF CONCEPT
|
||
-------------------------
|
||
|
||
1 - Go to the screen of functionality located at "Manager >> Data
|
||
Inputs >> Files & Directories >> Data Preview".
|
||
2 - Insert the path to file into "Path to file on server" field.
|
||
3 - Click on Continue.
|
||
4 - See the content of file.
|
||
|
||
The following screenshots illustrate reading the contents of /etc/shadow:
|
||
|
||
Step 1: http://imageshack.us/f/837/etcshadowserversplunk0d.png/
|
||
|
||
Step 2: http://imageshack.us/f/835/etcshadowserversplunk0d.png/
|
||
|
||
V. BUSINESS IMPACT
|
||
-------------------------
|
||
|
||
An authenticated attacker with admin privileges on splunk could
|
||
exploit the vulnerability to retrieve the contents of any sensitive
|
||
files in the server accessible by the operating system user the splunk
|
||
service is running as. If splunkd is running as root user, the
|
||
attacker can read the content of any file in the server, including
|
||
/etc/shadow and other sensitive configuration files. Thus, being an
|
||
admin in the splunk UI allows an attacker to obtain information that
|
||
may lead to escalation of privileges on the operating system where
|
||
splunk is installed.
|
||
|
||
The vendor was notified of this behavior, and declared not to consider
|
||
it either a defect or a vulnerability.
|
||
|
||
VI. SYSTEMS AFFECTED
|
||
-------------------------
|
||
|
||
Version 4.3.3 and prior versions are vulnerable.
|
||
|
||
VII. SOLUTION
|
||
-------------------------
|
||
|
||
N/A.
|
||
|
||
VIII. DISCLOSURE TIMELINE
|
||
-------------------------
|
||
|
||
7/27/12 - Vulnerability discovered.
|
||
|
||
8/3/12 - Vendor Contacted.
|
||
|
||
8/3/12 - Vendor Response "we don't consider this behaviour a design
|
||
defect or vulnerability".
|
||
|
||
8/3/12 - Vendor informed about full disclosure in some days.
|
||
|
||
9/3/12 - Full disclosure
|
||
|
||
|
||
IX. REFERENCES
|
||
-------------------------
|
||
|
||
[1] http://management.silicon.com/itpro/0,39024675,39157789,00.htm
|
||
[2] Security Power Tools. O'Reilly Media, Inc.. ISBN 0-596-00963-1.
|
||
[3] Nagios 3 Enterprise Network Monitoring: Including Plug-Ins and
|
||
Hardware Devices. Syngress. ISBN 1-59749-267-1.
|
||
[4] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/
|
||
[5] http://online.wsj.com/article/SB125237153923891221.html Start-Ups
|
||
Aim to Help Tame Corporate Data, Pui-Wing Tam, Wall Street Journal,
|
||
September 08, 2009 [6]
|
||
http://www.citoresearch.com/content/business-intelligence-and-data-center
|
||
[7] Central, CIO. Forbes.
|
||
http://blogs.forbes.com/ciocentral/2010/12/15/how-cios-should-be-helping-marketers/
|
||
.
|
||
[8] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/
|
||
[9] http://venturebeat.com/2011/02/08/splunk-seattle-office-opens/
|
||
|
||
|
||
X. CREDITS
|
||
-------------------------
|
||
|
||
The vulnerability has been discovered by Marcio Almeida
|
||
(marcio.macedo@ciphersec.com.br) of CIPHER Intelligence Labs
|
||
(www.ciphersec.net).
|
||
|
||
XI. GREETINGS
|
||
-------------------------
|
||
To Rodrigo Salvalagio rsalvalagio@gmail.com for support during this process.
|
||
|
||
|
||
XI. LEGAL NOTICES
|
||
-------------------------
|
||
|
||
The information contained within this advisory is supplied "as-is"
|
||
with no warranties or guarantees of fitness of use or otherwise. I
|
||
accept no responsibility for any damage caused by the use or misuse of
|
||
this information.
|
||
|
||
--
|
||
-
|
||
M<EFBFBD>rcio Almeida
|
||
Msc. Student of Security Information and Cryptoanalisis at Federal
|
||
University of Pernambuco |