Splunk 4.3.3 Arbitrary File Disclosure

`=================================================================  
  
- Release date: September 3rd, 2012  
- Discovered by: Marcio Almeida of CIPHER Intelligence Labs  
- Severity: Medium  
- CVSS Base Score: 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C)  
  
=================================================================  
  
I. VULNERABILITY  
-------------------------  
  
Splunk <= 4.3.3 Reading Arbitrary Files Contents  
  
II. BACKGROUND  
-------------------------  
  
Splunk[1][2][3] is a software to search, monitor and analyze  
machine-generated data by applications, systems and IT infrastructure  
at scale via a web-style interface.[4] Splunk captures, indexes and  
correlates real-time data in a searchable repository from which it can  
generate graphs, reports, alerts, dashboards and visualizations.[5][6]  
  
Splunk aims to make machine data accessible across an organization and  
identifies data patterns[7], provides metrics, diagnoses problems and  
provides intelligence for business operation. Splunk is a horizontal  
technology used for application management, security and compliance,  
as well as business and web analytics.[8] Splunk has over 3,700  
licensed customers in 74 countries, including almost half of the  
Fortune 100.[9]  
  
III. INTRODUCTION  
-------------------------  
  
Splunk 4.3.3 and prior versions has "Data Preview" functionality located at:  
  
"Manager >> Data Inputs >> Files & Directories >> Data Preview"  
which allows an authenticated user to read the content of arbitrary  
files on the server it is running.  
  
IV. PROOF OF CONCEPT  
-------------------------  
  
1 - Go to the screen of functionality located at "Manager >> Data  
Inputs >> Files & Directories >> Data Preview".  
2 - Insert the path to file into "Path to file on server" field.  
3 - Click on “Continue”.  
4 - See the content of file.  
  
The following screenshots illustrate reading the contents of /etc/shadow:  
  
Step 1: http://imageshack.us/f/837/etcshadowserversplunk0d.png/  
  
Step 2: http://imageshack.us/f/835/etcshadowserversplunk0d.png/  
  
V. BUSINESS IMPACT  
-------------------------  
  
An authenticated attacker with admin privileges on splunk could  
exploit the vulnerability to retrieve the contents of any sensitive  
files in the server accessible by the operating system user the splunk  
service is running as. If splunkd is running as root user, the  
attacker can read the content of any file in the server, including  
/etc/shadow and other sensitive configuration files. Thus, being an  
admin in the splunk UI allows an attacker to obtain information that  
may lead to escalation of privileges on the operating system where  
splunk is installed.  
  
The vendor was notified of this behavior, and declared not to consider  
it either a defect or a vulnerability.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
  
Version 4.3.3 and prior versions are vulnerable.  
  
VII. SOLUTION  
-------------------------  
  
N/A.  
  
VIII. DISCLOSURE TIMELINE  
-------------------------  
  
7/27/12 - Vulnerability discovered.  
  
8/3/12 - Vendor Contacted.  
  
8/3/12 - Vendor Response "we don't consider this behaviour a design  
defect or vulnerability".  
  
8/3/12 - Vendor informed about full disclosure in some days.  
  
9/3/12 - Full disclosure  
  
  
IX. REFERENCES  
-------------------------  
  
[1] http://management.silicon.com/itpro/0,39024675,39157789,00.htm  
[2] Security Power Tools. O'Reilly Media, Inc.. ISBN 0-596-00963-1.  
[3] Nagios 3 Enterprise Network Monitoring: Including Plug-Ins and  
Hardware Devices. Syngress. ISBN 1-59749-267-1.  
[4] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/  
[5] http://online.wsj.com/article/SB125237153923891221.html Start-Ups  
Aim to Help Tame Corporate Data, Pui-Wing Tam, Wall Street Journal,  
September 08, 2009 [6]  
http://www.citoresearch.com/content/business-intelligence-and-data-center  
[7] Central, CIO. Forbes.  
http://blogs.forbes.com/ciocentral/2010/12/15/how-cios-should-be-helping-marketers/.  
[8] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/  
[9] http://venturebeat.com/2011/02/08/splunk-seattle-office-opens/  
  
  
X. CREDITS  
-------------------------  
  
The vulnerability has been discovered by Marcio Almeida  
([email protected]) of CIPHER Intelligence Labs  
(www.ciphersec.net).  
  
XI. GREETINGS  
-------------------------  
To Rodrigo Salvalagio [email protected] for support during this process.  
  
  
XI. LEGAL NOTICES  
-------------------------  
  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise. I  
accept no responsibility for any damage caused by the use or misuse of  
this information.  
  
  
`