New Module for Splunk CVE 2018-11409 #18635
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
szymonj99
reviewed
Dec 22, 2023
Comment on lines
+122
to
+135
| print_good("Hostname: #{j['entry'][0]['content']['host_fqdn']}") | ||
| print_good("CPU Architecture: #{j['entry'][0]['content']['cpu_arch']}") | ||
| print_good("Operating System: #{j['entry'][0]['content']['os_name']}") | ||
| print_good("OS Build: #{j['entry'][0]['content']['os_build']}") | ||
| print_good("OS Version: #{j['entry'][0]['content']['os_version']}") | ||
| print_good("Splunk Version: #{j['generator']['version']}") | ||
| print_good("Trial Version?: #{j['entry'][0]['content']['isTrial']}") | ||
| print_good("Splunk Forwarder?: #{j['entry'][0]['content']['isForwarding']}") | ||
| print_good("Splunk Product Type: #{j['entry'][0]['content']['product_type']}") | ||
| print_good("License State: #{j['entry'][0]['content']['licenseState']}") | ||
| print_good("License Key\(s\): #{j['entry'][0]['content']['licenseKeys']}") | ||
| print_good("Splunk Server Roles: #{j['entry'][0]['content']['server_roles']}") | ||
| converted_time = DateTime.strptime(j['entry'][0]['content']['startup_time'].to_s, '%s').strftime('%Y-%m-%d %H:%M:%S') | ||
| print_good("Splunk Server Startup Time: #{converted_time}") |
There was a problem hiding this comment.
Would it make sense to use a Rex Table here?
splunk_info_table = ::Rex::Text::Table.new(
'Header' => 'Splunk Raw Server Info',
'Indent' => 1,
'Columns' => ['Hostname', 'CPU Architecture', 'Operating System', 'OS Build', 'OS Version' ...]
)
...
result = j['entry'][0]['content']
...
splunk_info_table << [ result['host_fqdn'], result['cpu_arch'] ... ]
There was a problem hiding this comment.
depending on license key length, it may be hard to read if its super long. It could cleanup slightly by putting each entry into a row for the table.
There was a problem hiding this comment.
I'd say my original suggestion can be disregarded then. Thanks! 🚀
jvoisin
reviewed
Dec 26, 2023
jheysel-r7
reviewed
Dec 27, 2023
There was a problem hiding this comment.
Thanks for the great module @n00bhaxor! A couple minor comments. The majority of the suggestions pertain to send_request_cgi's keep_cookies option. Instead of calling res.get_cookies and passing cookies from method to method, this option can be used to simplify things.
I've tested with these changes on the following versions:
Splunk 6.5.5
msf6 auxiliary(gather/splunk_raw_server_info) > run
[*] Running module against 127.0.0.1
[+] Output saved to /Users/jheysel/.msf4/loot/20231227122814_default_127.0.0.1_splunk.system.st_818068.json
[+] Hostname: ee232e0d2e48
[+] CPU Architecture: x86_64
[+] Operating System: Linux
[+] OS Build: #1 SMP PREEMPT_DYNAMIC Wed Dec 6 17:14:50 UTC 2023
[+] OS Version: 6.5.11-linuxkit
[+] Splunk Version: 6.5.5
[+] Trial Version?: false
[+] Splunk Forwarder?: false
[+] Splunk Product Type: splunk
[+] License State: OK
[+] License Key(s): ["FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"]
[+] Splunk Server Roles: ["indexer", "license_master"]
[+] Splunk Server Startup Time: 2023-12-27 16:34:00
[*] Auxiliary module execution completed
Splunk 7.1.0
msf6 auxiliary(gather/splunk_raw_server_info) > run
[*] Running module against 127.0.0.1
[+] Output saved to /Users/jheysel/.msf4/loot/20231227122807_default_127.0.0.1_splunk.system.st_712499.json
[+] Hostname: 9a974e5f63aa
[+] CPU Architecture: x86_64
[+] Operating System: Linux
[+] OS Build: #1 SMP PREEMPT_DYNAMIC Wed Dec 6 17:14:50 UTC 2023
[+] OS Version: 6.5.11-linuxkit
[+] Splunk Version: 7.1.0
[+] Trial Version?: false
[+] Splunk Forwarder?: false
[+] Splunk Product Type: splunk
[+] License State: OK
[+] License Key(s): ["FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"]
[+] Splunk Server Roles: ["indexer", "license_master"]
[+] Splunk Server Startup Time: 2023-12-27 17:16:00
[*] Auxiliary module execution completed
I'll leave the PR open for the time being incase anyone has any more comments. I will try and land this before the release cut-off tomorrow afternoon.
Co-authored-by: Julien Voisin <[email protected]>
jheysel-r7
reviewed
Dec 27, 2023
|
Final testing. Great module 🚀 |
Release NotesThis PR adds a module for an authenticated Splunk information disclosure vulnerability. This module gathers information about the host machine and the Splunk install including OS version, build, CPU arch, Splunk license keys etc. |
jheysel-r7
added
the
rn-modules
|
Some of the changes for that login and such were copied from other splunk modules. Now that it's hit @bwatters-r7 threshold, I think the appropriate solution is to create a splunk lib with functions similar to wordpress such as |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New Module for Splunk CVE 2018-11409
Verification
use auxiliary/gather/splunk_raw_server_infoSET RHOSTS [IP]