Re: Splunk Vulnerability

["Michael D. Wood" <mike () itsecuritypros org>]

8/3/12 - Vendor Response "we don't consider this behaviour a design
defect or vulnerability"

Why on earth would they think this would be ok?

--
Michael D. Wood
ITSecurityPros.org
www.itsecuritypros.org

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Rodrigo
Salvalagio
Sent: Monday, September 03, 2012 3:40 PM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Splunk Vulnerability

=================================================================

- Release date: September 3rd, 2012
- Discovered by: Marcio Almeida of CIPHER Intelligence Labs
- Severity: Medium
- CVSS Base Score: 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C)

=================================================================

 I. VULNERABILITY
-------------------------

Splunk <= 4.3.3 Reading Arbitrary Files Contents

II. BACKGROUND
-------------------------

Splunk[1][2][3] is a software to search, monitor and analyze
machine-generated data by applications, systems and IT infrastructure at
scale via a web-style interface.[4] Splunk captures, indexes and correlates
real-time data in a searchable repository from which it can generate graphs,
reports, alerts, dashboards and visualizations.[5][6]

Splunk aims to make machine data accessible across an organization and
identifies data patterns[7], provides metrics, diagnoses problems and
provides intelligence for business operation. Splunk is a horizontal
technology used for application management, security and compliance, as well
as business and web analytics.[8] Splunk has over 3,700 licensed customers
in 74 countries, including almost half of the Fortune 100.[9]

III. INTRODUCTION
-------------------------

Splunk 4.3.3 and prior versions has "Data Preview" functionality located at:

"Manager >> Data Inputs >> Files & Directories >> Data Preview"
which allows an authenticated user to read the content of arbitrary files on
the server it is running.

IV. PROOF OF CONCEPT
-------------------------

1 - Go to the screen of functionality located at "Manager >> Data Inputs >>
Files & Directories >> Data Preview".
2 - Insert the path to file into "Path to file on server" field.
3 - Click on "Continue".
4 - See the content of file.

The following screenshots illustrate reading the contents of /etc/shadow:

Step 1: http://imageshack.us/f/837/etcshadowserversplunk0d.png/

Step 2: http://imageshack.us/f/835/etcshadowserversplunk0d.png/

V. BUSINESS IMPACT
-------------------------

An authenticated attacker with admin privileges on splunk could exploit the
vulnerability to retrieve the contents of any sensitive files in the server
accessible by the operating system user the splunk service is running as. If
splunkd is running as root user, the attacker can read the content of any
file in the server, including /etc/shadow and other sensitive configuration
files. Thus, being an admin in the splunk UI allows an attacker to obtain
information that may lead to escalation of privileges on the operating
system where splunk is installed.

The vendor was notified of this behavior, and declared not to consider it
either a defect or a vulnerability.

VI. SYSTEMS AFFECTED
-------------------------

Version 4.3.3 and prior versions are vulnerable.

VII. SOLUTION
-------------------------

N/A.

VIII. DISCLOSURE TIMELINE
-------------------------

7/27/12 - Vulnerability discovered.

8/3/12 - Vendor Contacted.

8/3/12 - Vendor Response "we don't consider this behaviour a design defect
or vulnerability".

8/3/12 - Vendor informed about full disclosure in some days.

9/3/12 - Full disclosure


IX. REFERENCES
-------------------------

[1] http://management.silicon.com/itpro/0,39024675,39157789,00.htm
[2] Security Power Tools. O'Reilly Media, Inc.. ISBN 0-596-00963-1.
[3] Nagios 3 Enterprise Network Monitoring: Including Plug-Ins and Hardware
Devices. Syngress. ISBN 1-59749-267-1.
[4] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/
[5] http://online.wsj.com/article/SB125237153923891221.html Start-Ups Aim to
Help Tame Corporate Data, Pui-Wing Tam, Wall Street Journal, September 08,
2009 [6]
http://www.citoresearch.com/content/business-intelligence-and-data-center
[7] Central, CIO. Forbes.
http://blogs.forbes.com/ciocentral/2010/12/15/how-cios-should-be-helping-mar
keters/.
[8] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/
[9] http://venturebeat.com/2011/02/08/splunk-seattle-office-opens/


X. CREDITS
-------------------------

The vulnerability has been discovered by Marcio Almeida
(marcio.macedo () ciphersec com br) of CIPHER Intelligence Labs
(www.ciphersec.net).

XI. GREETINGS
-------------------------
To Rodrigo Salvalagio rsalvalagio () gmail com for support during this process.


XI. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Attachment: smime.p7s
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/