CVE-2024-36985 Splunk Remote Code Execution through lookup in splunk_archiver application, my PoC exploit
This time I have analyzed the vulnerability of CVE-2024-36985 Remote Code Execution in Splunk splunk_archiver App.
The research was only to force my IT department to do they job and for me to learn much more.
Security vulnerabilities are often abstract and if you can’t see how easy some of them are to exploit, you can’t raise awareness.
It’s actually hard to argue sometimes: Please do the update because there seem to be vulnerabilities.
But it is very easy if you can say: Look this vulnerability is just as easy to exploit.
That shortens many discussions extremely.
Now I’m pissed off for Splunk Inc.
13. Sep. 2024 Here is my exploit. 18. Sep. 2024 Here was my exploit!
Ouch, where did the article disappear to?
Apparently, by creating two reports via Hackerone, I agreed to Splunk’s terms and conditions.
They say.
Yes, Splunk’s landing page for reporting vulnerabilities refers to they GTC agreement.
Both reports where closed as informational only, although the first one can be used to create a user-controlled shell script for another vulnaribility
and the second was an step further but rejected because my “attack scenario requires misconfiguration”
What happens behind the stage? Splunk states to me
Splunk does not allow researchers to disclose contents of any submission without explicit Splunk authorization
Disclosure Policy
While we encourage you to discover and report to us any vulnerabilities found in a responsible manner, the following conduct is expressly prohibited and will result in possible legal action against you:
Disclosing any vulnerabilities or suspected vulnerabilities discovered to any other person or organization without explicit Splunk authorization;
Disclosing the contents of any submission without explicit Splunk authorization;
[....]
I agree to first sentence for my reports, as usual!
Is this valid for research work on exploits for Splunk’s advisory?
I have not found this chapter despite searching on their site or search engine.
But ok, I follow the rules and I don’t need any legal dispute.
Lessons learned the hard way. Next time I will think twice to report to such VDP program.
They don’t need me, I don’t need them.
I will update this blog entry if I got the url pointing to this chapter.
Disclaimer
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2024 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.