what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Splunk 6.6.x Local Privilege Escalation

Splunk 6.6.x Local Privilege Escalation
Posted Nov 3, 2017
Authored by Hank Leininger | Site korelogic.com

Splunk version 6.6.x suffers from a local privilege escalation vulnerability. Splunk can be configured to run as a non-root user. However, that user owns the configuration file that specifies the user to run as, so it can trivially gain root privileges.

tags | exploit, local, root
SHA-256 | 927ecfe19fe31d3c7e09dd53fc3c4d83c00e61f2fd48f776a815cc3fefe9be2c

Splunk 6.6.x Local Privilege Escalation

Change Mirror Download
KL-001-2017-022 : Splunk Local Privilege Escalation

Title: Splunk Local Privilege Escalation
Advisory ID: KL-001-2017-022
Publication Date: 2017.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-022.txt


1. Vulnerability Details

Affected Vendor: Splunk
Affected Product: Splunk Enterprise
Affected Version: 6.6.x
Platform: Embedded Linux
CWE Classification: CWE-280: Improper Handling of Insufficient
Permissions or Privileges
Impact: Privilege Escalation
Attack vector: Local

2. Vulnerability Description

Splunk can be configured to run as a non-root user. However,
that user owns the configuration file that specifies the user
to run as, so it can trivially gain root privileges.

3. Technical Description

Splunk runs multiple daemons and network listeners as root
by default. It can be configured to drop privileges to a
specified non-root user at startup such as user splunk, via
the SPLUNK_OS_USER variable in the splunk-launch.conf file in
$SPLUNK_HOME/etc/ (such as /opt/splunk/etc/splunk-launch.conf).

However, the instructions for enabling such a setup call
for chown'ing the entire $SPLUNK_HOME directory to that same
non-root user. For instance:

http://docs.splunk.com/Documentation/Splunk/6.6.2/Installation/RunSplunkasadifferentornon-rootuser

"4. Run the chown command to change the ownership of the splunk
directory and everything under it to the user that you want
to run the software.

chown -R splunk:splunk $SPLUNK_HOME"

Therefore, if an attacker gains control of the splunk account,
they can modify $SPLUNK_HOME/etc/splunk-launch.conf to
remove/unset SPLUNK_OS_USER so that the software will retain
root privileges, and place backdoors under $SPLUNK_HOME/bin/,
etc. that will take malicious actions as user root the next
time Splunk is restarted.

4. Mitigation and Remediation Recommendation

The vendor has published a mitigation for this vulnerability
at: https://www.splunk.com/view/SP-CAAAP3M

5. Credit

This vulnerability was discovered by Hank Leininger of
KoreLogic, Inc.

6. Disclosure Timeline

2017.08.17 - KoreLogic submits vulnerability details to Splunk.
2017.08.17 - Splunk confirms receipt.
2017.08.22 - Splunk notifies KoreLogic that the issue has been
assigned an internal ticket and will be addressed.
2017.09.29 - 30 business days have elapsed since the vulnerability
was reported to Splunk.
2017.10.17 - KoreLogic requests an update from Splunk.
2017.10.18 - Splunk informs KoreLogic that they will issue an advisory
on October 28th.
2017.10.23 - 45 business days have elapsed since the vulnerability
was reported to Splunk.
2017.10.30 - Splunk notifies KoreLogic that the advisory is published.
2017.11.03 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close