Re: Splunk Vulnerability

["Zach C." <fxchip () gmail com>]

1.) The tool, Splunk, is designed to index logs
2.) Logs are arbitrary files.
Therefore,
3.) Splunk is designed to index arbitrary files.

Whether or not you could preview the file before indexing, there would
still be ways to gain access to the contents of the file once indexed. This
just happens to make such access more convenient, at worst. (At best, it
proves to be a useful part of a useful tool allowing the user to verify the
blob of data they wish to index is the/a proper blob to index.)

At least, that's my understanding.

So it isn't a design defect, since that's exactly what Splunk is intended
to do. It's only a vulnerability in the sense that it allows a potentially
unprivileged user -- that is, one with access to Splunk but not necessarily
to the machine -- to see privileged information. However, an administrator
should already know that potentially sensitive information is easily
searchable and recoverable through the tool in general by design, and
adjust expectations, access rules, etc. accordingly. That or restrict the
privileges of the tool and/or its users (potentially restricting its
usefulness as well).
On Sep 5, 2012 8:40 PM, "Michael D. Wood" <mike () itsecuritypros org> wrote:

> 8/3/12 - Vendor Response "we don't consider this behaviour a design
> defect or vulnerability"
>
> Why on earth would they think this would be ok?
>
> --
> Michael D. Wood
> ITSecurityPros.org
> www.itsecuritypros.org
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Rodrigo
> Salvalagio
> Sent: Monday, September 03, 2012 3:40 PM
> To: full-disclosure () lists grok org uk
> Subject: [Full-disclosure] Splunk Vulnerability
>
> =================================================================
>
> - Release date: September 3rd, 2012
> - Discovered by: Marcio Almeida of CIPHER Intelligence Labs
> - Severity: Medium
> - CVSS Base Score: 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C)
>
> =================================================================
>
>  I. VULNERABILITY
> -------------------------
>
> Splunk <= 4.3.3 Reading Arbitrary Files Contents
>
> II. BACKGROUND
> -------------------------
>
> Splunk[1][2][3] is a software to search, monitor and analyze
> machine-generated data by applications, systems and IT infrastructure at
> scale via a web-style interface.[4] Splunk captures, indexes and correlates
> real-time data in a searchable repository from which it can generate
> graphs,
> reports, alerts, dashboards and visualizations.[5][6]
>
> Splunk aims to make machine data accessible across an organization and
> identifies data patterns[7], provides metrics, diagnoses problems and
> provides intelligence for business operation. Splunk is a horizontal
> technology used for application management, security and compliance, as
> well
> as business and web analytics.[8] Splunk has over 3,700 licensed customers
> in 74 countries, including almost half of the Fortune 100.[9]
>
> III. INTRODUCTION
> -------------------------
>
> Splunk 4.3.3 and prior versions has "Data Preview" functionality located
> at:
>
> "Manager >> Data Inputs >> Files & Directories >> Data Preview"
> which allows an authenticated user to read the content of arbitrary files
> on
> the server it is running.
>
> IV. PROOF OF CONCEPT
> -------------------------
>
> 1 - Go to the screen of functionality located at "Manager >> Data Inputs >>
> Files & Directories >> Data Preview".
> 2 - Insert the path to file into "Path to file on server" field.
> 3 - Click on "Continue".
> 4 - See the content of file.
>
> The following screenshots illustrate reading the contents of /etc/shadow:
>
> Step 1: http://imageshack.us/f/837/etcshadowserversplunk0d.png/
>
> Step 2: http://imageshack.us/f/835/etcshadowserversplunk0d.png/
>
> V. BUSINESS IMPACT
> -------------------------
>
> An authenticated attacker with admin privileges on splunk could exploit the
> vulnerability to retrieve the contents of any sensitive files in the server
> accessible by the operating system user the splunk service is running as.
> If
> splunkd is running as root user, the attacker can read the content of any
> file in the server, including /etc/shadow and other sensitive configuration
> files. Thus, being an admin in the splunk UI allows an attacker to obtain
> information that may lead to escalation of privileges on the operating
> system where splunk is installed.
>
> The vendor was notified of this behavior, and declared not to consider it
> either a defect or a vulnerability.
>
> VI. SYSTEMS AFFECTED
> -------------------------
>
> Version 4.3.3 and prior versions are vulnerable.
>
> VII. SOLUTION
> -------------------------
>
> N/A.
>
> VIII. DISCLOSURE TIMELINE
> -------------------------
>
> 7/27/12 - Vulnerability discovered.
>
> 8/3/12 - Vendor Contacted.
>
> 8/3/12 - Vendor Response "we don't consider this behaviour a design defect
> or vulnerability".
>
> 8/3/12 - Vendor informed about full disclosure in some days.
>
> 9/3/12 - Full disclosure
>
>
> IX. REFERENCES
> -------------------------
>
> [1] http://management.silicon.com/itpro/0,39024675,39157789,00.htm
> [2] Security Power Tools. O'Reilly Media, Inc.. ISBN 0-596-00963-1.
> [3] Nagios 3 Enterprise Network Monitoring: Including Plug-Ins and Hardware
> Devices. Syngress. ISBN 1-59749-267-1.
> [4] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/
> [5] http://online.wsj.com/article/SB125237153923891221.html Start-Ups Aim
> to
> Help Tame Corporate Data, Pui-Wing Tam, Wall Street Journal, September 08,
> 2009 [6]
> http://www.citoresearch.com/content/business-intelligence-and-data-center
> [7] Central, CIO. Forbes.
>
> http://blogs.forbes.com/ciocentral/2010/12/15/how-cios-should-be-helping-mar
> keters/.
> [8] http://gigaom.com/cloud/how-splunk-is-riding-it-search-toward-an-ipo/
> [9] http://venturebeat.com/2011/02/08/splunk-seattle-office-opens/
>
>
> X. CREDITS
> -------------------------
>
> The vulnerability has been discovered by Marcio Almeida
> (marcio.macedo () ciphersec com br) of CIPHER Intelligence Labs
> (www.ciphersec.net).
>
> XI. GREETINGS
> -------------------------
> To Rodrigo Salvalagio rsalvalagio () gmail com for support during this
> process.
>
>
> XI. LEGAL NOTICES
> -------------------------
>
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise. I accept
> no
> responsibility for any damage caused by the use or misuse of this
> information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/