Splunk Search Jobs Remote Code Execution

Added: 01/13/2012
CVE: CVE-2011-4642
BID: 51061
OSVDB: 77695

Background

Splunk collects, indexes and harnesses the massive volumes of valuable machine data generated by your complex IT infrastructure, whether physical, virtual or in the cloud.

Problem

Splunk allows users to perform search actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to execute arbitrary command/code when a logged-in administrator visits a specially crafted web page.

Resolution

Upgrade to Splunk 4.2.5 or later.

References

http://www.sec-1.com/blog/?p=233
http://www.exploit-db.com/exploits/18245/
http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdf

Limitations

This exploit has been tested against Splunk 4.2.4 build 110225 on Windows XP SP3 and Ubuntu 10.04 Linux.

Platforms

Windows
Linux
Mac OS X

Back to exploit index