Thursday, January 27, 2022

Splunk 5.0 App Remote Code Execution Demo

Affected versions:

  • All Splunk 5.x versions
  • Tested on Centos 5.8 with:
  • Splunk version 5.0.1, build 143156

This module exploits a feature of Splunk whereby a custom application can be uploaded through the web based interface. Through the script search command a user can call commands defined in their custom application which includes arbitrary perl or python code. To abuse this behavior, a valid Splunk user with the admin role is required.  By default, this module uses the credential of admin:changeme, the default Administrator credential for Splunk.

Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. This module has only been tested successfully against Splunk 5.0.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

How to Frankenscript

Features Spoof/fake the mac address for both the WiFi adapter and virtual interface monX. Frankenscript …