CVE-2011-4644
published 2012-01-03CVE-2011-4644: Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
7.83%
93.9th percentile
Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not support authentication, which allows remote attackers to (1) read arbitrary files via a management-console session that leverages the ability to create crafted data sources, or (2) execute management commands via an HTTP request.
Affected
65 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | <= 4.2.5 | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
| splunk | splunk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/services/properties/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fopt%2fsplunk%2fetc%2fsplunk-launch/default/SPLUNK_HOME↗
commandsearch index=_internal source=*splunkd.log |mappy x=eval("sys.modules['os'].system(base64.b64decode('%s'))")↗
- →Detect directory traversal attempts against Splunk's /services/properties/ endpoint using URL-encoded path traversal sequences (..%2f) targeting sensitive files such as splunk-launch ↗
- →Detect Splunk search queries containing 'mappy' with embedded os.system or base64.b64decode calls, indicative of the RCE payload used in this exploit ↗
- →Alert on unauthenticated POST requests to /services/auth/login that receive a response containing 'Remote login disabled because you are using a free license', indicating a Free license Splunk instance exploitable without credentials ↗
- →Monitor for POST requests to /servicesNS/-/launcher/authentication/users on Splunk port 8089, which indicates an attempt to create a new admin user via the management API ↗
- →Detect access to /services/authentication/httpauth-tokens on Splunk's splunkd port (8089), which is used by the exploit to verify admin-level access ↗
- ·The exploit targets Splunk 4.2.5 and earlier. The splunkd management API listens on port 8089 (HTTPS by default) and the web interface on port 8000; both are targeted. ↗
- ·A proxy can be configured in the exploit script to route traffic through an intermediary, which may be used to evade network-level detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/18245/http://www.sec-1.com/blog/?p=233http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdfhttp://www.exploit-db.com/exploits/18245/http://www.sec-1.com/blog/?p=233http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdf
2012-01-03
Published