Splunk Vulnerability

=================================================================

- Release date: September 3rd, 2012

- Discovered by: Marcio Almeida of CIPHER Intelligence Labs

- Severity: Medium

- CVSS Base Score: 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C)

I. VULNERABILITY

-------------------------

Splunk <= 4.3.3 Reading Arbitrary Files Contents

II. BACKGROUND

Splunk[1][2][3] is a software to search, monitor and analyze

machine-generated data by applications, systems and IT infrastructure

at scale via a web-style interface.[4] Splunk captures, indexes and

correlates real-time data in a searchable repository from which it can

generate graphs, reports, alerts, dashboards and visualizations.[5][6]

Splunk aims to make machine data accessible across an organization and

identifies data patterns[7], provides metrics, diagnoses problems and

provides intelligence for business operation. Splunk is a horizontal

technology used for application management, security and compliance,

as well as business and web analytics.[8] Splunk has over 3,700

licensed customers in 74 countries, including almost half of the

Fortune 100.[9]

III. INTRODUCTION

Splunk 4.3.3 and prior versions has "Data Preview" functionality located at:

"Manager >> Data Inputs >> Files & Directories >> Data Preview"

which allows an authenticated user to read the content of arbitrary

files on the server it is running.

IV. PROOF OF CONCEPT

1 - Go to the screen of functionality located at "Manager >> Data

Inputs >> Files & Directories >> Data Preview".

2 - Insert the path to file into "Path to file on server" field.

3 - Click on 揅ontinue�.

4 - See the content of file.

The following screenshots illustrate reading the contents of /etc/shadow:

V. BUSINESS IMPACT

An authenticated attacker with admin privileges on splunk could

exploit the vulnerability to retrieve the contents of any sensitive

files in the server accessible by the operating system user the splunk

service is running as. If splunkd is running as root user, the

attacker can read the content of any file in the server, including

/etc/shadow and other sensitive configuration files. Thus, being an

admin in the splunk UI allows an attacker to obtain information that

may lead to escalation of privileges on the operating system where

splunk is installed.

The vendor was notified of this behavior, and declared not to consider

it either a defect or a vulnerability.

VI. SYSTEMS AFFECTED

Version 4.3.3 and prior versions are vulnerable.

VII. SOLUTION

N/A.

VIII. DISCLOSURE TIMELINE

7/27/12 - Vulnerability discovered.

8/3/12 - Vendor Contacted.

8/3/12 - Vendor Response "we don't consider this behaviour a design

defect or vulnerability".

8/3/12 - Vendor informed about full disclosure in some days.

9/3/12 - Full disclosure

IX. REFERENCES

[2] Security Power Tools. O'Reilly Media, Inc.. ISBN 0-596-00963-1.

[3] Nagios 3 Enterprise Network Monitoring: Including Plug-Ins and

Hardware Devices. Syngress. ISBN 1-59749-267-1.

Aim to Help Tame Corporate Data, Pui-Wing Tam, Wall Street Journal,

September 08, 2009 [6]

<a href="http://www.citoresearch.com/content/business-intelligence-and-data-center">http://www.citoresearch.com/content/business-intelligence-and-data-center</a>

[7] Central, CIO. Forbes.

<a href="http://blogs.forbes.com/ciocentral/2010/12/15/how-cios-should-be-helping-marketers/">http://blogs.forbes.com/ciocentral/2010/12/15/how-cios-should-be-helping-marketers/.</a>

X. CREDITS

The vulnerability has been discovered by Marcio Almeida

(marcio.macedo [at] ciphersec) of CIPHER Intelligence Labs

(www.ciphersec.net).

XI. GREETINGS

To Rodrigo Salvalagio rsalvalagio [at] gmail for support during this process.

XI. LEGAL NOTICES

The information contained within this advisory is supplied "as-is"

with no warranties or guarantees of fitness of use or otherwise. I

accept no responsibility for any damage caused by the use or misuse of

this information.