CVE-2011-4642
published 2012-01-03CVE-2011-4642: mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly restrict use of the mappy command to access Python classes, which allows remote…
PriorityP341medium4.6CVSS 2.0
AVNACHAuSCPIPAP
EXPLOIT
EPSS
28.93%
97.9th percentile
mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly restrict use of the mappy command to access Python classes, which allows remote authenticated administrators to execute arbitrary code by leveraging the sys module in a request to the search application, as demonstrated by a cross-site request forgery (CSRF) attack, aka SPL-45172.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Splunk - Remote Command Execution
exploitdb·2011-12-15
CVE-2011-4779 Splunk - Remote Command Execution
Splunk - Remote Command Execution
---
from sec1httplib.requestbuilder import Requestobj
from sec1httplib.thread_dispatcher import *
import threading
import re
import urlparse
import sys
import urllib
import base64
from optparse import OptionParser
import sys
"""
Source: http://www.sec-1.com/blog/?p=233
Splunk remote root exploit.
Author: Gary O'leary-Steele @ Sec-1 Ltd
Date: 5th September 2011
Release date: Private
Full Package: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18245.zip
C:\git\splunk>python splunk_exploit.py -h
Usage: Run splunk_exploit.py -h to see usage options
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-t TARGETHOST IP Address or hostname of target splunk server
-c Generat
Metasploit
Splunk Search Remote Code Execution
metasploit
Splunk Search Remote Code Execution
Splunk Search Remote Code Execution
This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the 'mappy' search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default, this module uses the credential of "admin:changeme", the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows and as root on Linux by default.
No writeups or analysis indexed.
http://secunia.com/advisories/47232http://www.exploit-db.com/exploits/18245/http://www.sec-1.com/blog/?p=233http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdfhttp://www.securitytracker.com/id?1026451http://www.splunk.com/view/SP-CAAAGMMhttp://secunia.com/advisories/47232http://www.exploit-db.com/exploits/18245/http://www.sec-1.com/blog/?p=233http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdfhttp://www.securitytracker.com/id?1026451http://www.splunk.com/view/SP-CAAAGMM
2012-01-03
Published